Plattform
php
Komponente
student-grades-management-system
Behoben in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Student Grades Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the 'Remarks' argument within the /grades.php endpoint, potentially compromising user sessions and data. The vulnerability is addressed in version 1.0.1, and users are strongly advised to upgrade.
Successful exploitation of CVE-2025-13349 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, redirection to phishing sites, and theft of sensitive information such as student grades and personal details. The impact is amplified if the system is used in an educational environment with sensitive student data. While the CVSS score is LOW, the potential for data compromise and disruption warrants immediate attention.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. The availability of a public exploit suggests a higher probability of active scanning and attacks targeting vulnerable instances of the Student Grades Management System. No KEV listing or EPSS score is currently available. The public disclosure date (2025-11-18) indicates a relatively short timeframe between discovery and public awareness.
Educational institutions and organizations utilizing the Student Grades Management System are at risk, particularly those relying on older, unpatched versions (1.0–1.0). Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially impact others.
• php: Examine the /grades.php file for inadequate input sanitization of the 'Remarks' parameter. Search for instances where user-supplied data is directly outputted to the HTML without proper encoding.
grep -r '$_GET["Remarks"]' /var/www/html/grades.php• generic web: Monitor access logs for unusual requests to /grades.php with suspicious parameters in the 'Remarks' field. Look for patterns indicative of XSS payloads.
grep "<script" /var/log/apache2/access.log | grep /grades.phpdisclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-13349 is to upgrade to version 1.0.1 of the Student Grades Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Remarks' field within the /grades.php endpoint to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Remarks field and verifying that it is properly sanitized.
Actualice el sistema Student Grades Management System a una versión posterior a la 1.0, si existe, o aplique un parche que corrija la vulnerabilidad de Cross-Site Scripting (XSS) en el archivo grades.php. Valide y escape las entradas del usuario, especialmente el argumento 'Remarks', para evitar la inyección de código malicioso. Si no hay actualizaciones disponibles, considere deshabilitar o eliminar la funcionalidad vulnerable.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13349 is a cross-site scripting (XSS) vulnerability affecting Student Grades Management System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /grades.php endpoint.
You are affected if you are using Student Grades Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Remarks' field in /grades.php.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation is possible.
Refer to the SourceCodester website or relevant security forums for the official advisory regarding CVE-2025-13349.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.