SourceCodester Class and Exam Timetabling System Cross-Site Scripting Vulnerability

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Class and Exam Timetabling System version 1.0. The issue arises in the file '/schoolyr.php', where the 'sy' parameter is not properly validated or encoded, allowing attackers to inject malicious scripts. This vulnerability can be exploited remotely, with public proof-of-concept available.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to theft of cookies, session tokens, or other sensitive information, as well as performing actions on behalf of the user or redirecting them to malicious websites.

Reproduction

To reproduce this vulnerability, access the '/admin/schoolyr.php' page. Edit the 'schoolyr' section and insert a script payload into the 'sy' parameter. Once submitted, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, implement proper output encoding for user inputs, especially in the 'sy' parameter of the '/schoolyr.php' file. Additionally, validate and filter input data to reject or escape potentially malicious content. Consider using a Content Security Policy (CSP) to restrict script execution sources, and set secure and HttpOnly flags for sensitive cookies. Regular security audits can help identify and fix such vulnerabilities.

Added: Jul 18, 2026, 9:23 PM
Updated: Jul 18, 2026, 9:23 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.7
exploitability
7.5
remediation
0.0
relevance
9.9
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.