Code-Projects School Fees Payment System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects School Fees Payment System version 1.0, specifically within the '/student.php' file. This issue arises from inadequate validation of user input in the 'sname', 'contact', 'about', 'emailid', and 'transcation_remark' parameters. As a result, attackers can inject malicious scripts that are executed in the context of the user's browser, potentially leading to session hijacking and unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed automatically when the affected page is loaded, potentially leading to session hijacking and unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, submit the 'sname', 'contact', 'about', 'emailid', and 'transcation_remark' fields on the '/student.php' page with script tags containing JavaScript code, such as 'alert()' calls. After submitting the form, the injected scripts will execute when the page is refreshed or when the 'edit' function is used. This vulnerability can also be triggered by accessing the 'Fee Detail' function on the '/report.php' page after injecting the scripts via the form.