PHPGurukul Student Record Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Student Record Management System version 1.0. The issue arises in the /edit-subject.php file, specifically within the Subject 1 field. The application does not properly validate or encode user input before saving it to the database and displaying it in the browser. This flaw allows authenticated administrators to inject malicious JavaScript, which is executed when the subject record is accessed or edited. As a result, this vulnerability enables the execution of arbitrary JavaScript in the context of the administrator's browser.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the browser of an authenticated administrator. This could lead to session hijacking through cookie theft, unauthorized administrative actions, and a persistent compromise that affects all users who view the modified subject record.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the /edit-subject.php page. In the Subject 1 field, enter a script payload, such as a JavaScript alert script. After saving the subject, return to the /edit-subject.php page and edit the modified subject. The injected JavaScript will execute, demonstrating the stored cross-site scripting vulnerability.

Remediation

It is recommended to implement strict server-side input validation and sanitization, encode all user output using context-aware encoding methods, and establish a strong Content Security Policy. Additionally, enable HTTPOnly and Secure flags on session cookies, conduct secure code reviews to ensure consistent output encoding, and apply centralized input filtering mechanisms and security testing before deployment.