Manikandan580 School Management System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Manikandan580's School Management System version 1.0. The issue resides in the contact-us.php file within the admin directory, specifically through the pagedes POST parameter. This vulnerability allows an attacker to inject a script that is executed in the administrator's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to /studentms/admin/contact-us.php with a payload in the pagedes parameter that includes a script tag. The injected script will be executed in the administrator's browser.

Remediation

To address this vulnerability, output encoding should be applied by using htmlspecialchars() before displaying any user-supplied data in a textarea. Additionally, input sanitization should be implemented to remove HTML tags from description fields before saving or displaying them. A strict Content Security Policy should be adopted to block the execution of inline scripts, and admin session cookies should be configured with HttpOnly and SameSite attributes to mitigate the risk of cookie theft.