SapneshNaik Student Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the SapneshNaik Student Management System, specifically in the latest commit prior to f4b4f0928f0b5551a28ee81ae7e7fe47d9345318. The issue resides in the 'index.php' and 'admin.php' files, where the application improperly handles the 'error' GET parameter. This lack of input validation, sanitization, and encoding allows remote attackers to inject malicious scripts that are executed in the context of the user's browser. The vulnerability exploitation is straightforward, requiring only user interaction to trigger the XSS payloads.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user’s browser. This could lead to session hijacking, redirection to malicious sites, or other harmful actions under the user's account.

Reproduction

To reproduce this vulnerability, deploy the SapneshNaik Student Management System on a XAMPP server with PHP 5.6. After setting up the environment and importing the necessary database, access 'index.php' or 'admin.php' with a crafted URL that includes a script payload in the 'error' parameter. The injected script will execute, demonstrating the XSS vulnerability.