Cyber-III Student-Management-System Class Schedule Deletion Endpoint Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Cyber-III Student-Management-System in the class schedule deletion endpoint located at '/admin/class schedule/delete_batch.php'. This issue arises from the absence of proper administrator permission checks, allowing unauthorized access to the endpoint. Additionally, the 'batch' parameter in POST requests is not properly sanitized before being included in the HTML response, enabling the injection of malicious scripts that are executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access the class schedule deletion endpoint without administrative privileges. Send a POST request to '/admin/class%20schedule/delete_batch.php' with the 'batch' parameter containing a script tag, such as '<script>alert("XSS_POC")</script>'. The server will respond with a message indicating successful deletion, but the injected script will execute in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to add proper authentication and authorization checks to ensure that only users with administrative privileges can access the deletion endpoint. Additionally, output should be escaped using 'htmlspecialchars()' to prevent cross-site scripting.