SourceCodester Class and Exam Timetabling System
- 1.0
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Class and Exam Timetabling System version 1.0. The issue arises in the file '/schoolyr.php', where the 'sy' parameter is not properly validated or encoded, allowing attackers to inject malicious scripts. This vulnerability can be exploited remotely, with public proof-of-concept available.
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to theft of cookies, session tokens, or other sensitive information, as well as performing actions on behalf of the user or redirecting them to malicious websites.
To reproduce this vulnerability, access the '/admin/schoolyr.php' page. Edit the 'schoolyr' section and insert a script payload into the 'sy' parameter. Once submitted, the injected script will execute, demonstrating the cross-site scripting vulnerability.
To address this vulnerability, implement proper output encoding for user inputs, especially in the 'sy' parameter of the '/schoolyr.php' file. Additionally, validate and filter input data to reject or escape potentially malicious content. Consider using a Content Security Policy (CSP) to restrict script execution sources, and set secure and HttpOnly flags for sensitive cookies. Regular security audits can help identify and fix such vulnerabilities.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.