yashpokharna2555 Student Management System Cross-Site Scripting Vulnerability in student.php

A stored cross-site scripting vulnerability has been identified in the yashpokharna2555 Student Management System. The issue resides in the student.php file, where the FIRST_NAME argument is manipulated, leading to the execution of injected scripts. This vulnerability can be exploited remotely and has been made public. The application uses continuous delivery with rolling releases, so specific version details are not available.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's session. This could result in the theft of session cookies, leading to a full account takeover. If an administrator's session is compromised, it could allow for back-end privilege escalation or unauthorized data manipulation.

Reproduction

To reproduce this vulnerability, first exploit the separate unauthorized data insertion vulnerability to add a student with a malicious script in the FIRST_NAME field. Then, log into the application and navigate to the student.php page. The injected script will execute, demonstrating the cross-site scripting vulnerability.