itsourcecode Student Transcript Processing System Cross-Site Scripting Vulnerability in Version 1.0

A cross-site scripting (XSS) vulnerability has been identified in the itsourcecode Student Transcript Processing System version 1.0. The issue resides in the file '/admin/modules/subject/edit.php', where the 'pre' parameter is manipulated, leading to the execution of arbitrary JavaScript. This vulnerability can be exploited remotely, without any authentication, by injecting malicious scripts that are not properly sanitized before being displayed to users.

Impact

Exploitation of this vulnerability allows for the execution of malicious JavaScript in the context of the user, potentially leading to session hijacking, phishing attacks, or full account compromise.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the course edit page. Once there, inject a script payload into the 'Prerequisite' field and save the changes. After saving, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to validate and sanitize user inputs, ensuring that any data received from users is properly cleaned before being outputted. Additionally, implementing a Content Security Policy (CSP) can help mitigate the risks associated with cross-site scripting by controlling which scripts can be executed on the page.