SourceCodester CET Automated Grading System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics, version 1.0. The issue resides in the student registration component, specifically within the index.php file. The vulnerability allows an unauthenticated attacker to inject JavaScript payloads into several registration fields, including student ID, full name, section, and username. These payloads are then executed in the context of an administrator who accesses the dashboard, where the injected data is displayed.

Impact

Exploitation of this vulnerability allows for the injection of persistent JavaScript into the admin dashboard via the public student registration portal. This injected script executes automatically when an administrator visits the dashboard, potentially leading to session hijacking and unauthorized access to the admin account.

Reproduction

To reproduce this vulnerability, navigate to the student registration page and fill in the registration fields with XSS payloads, such as SVG images with JavaScript event handlers. Once the registration is submitted, the payloads are stored in the database. When an administrator logs into the dashboard, the injected scripts execute, confirming the successful exploitation of the vulnerability.