Plattform
php
Komponente
critical-security-vulnerability-report-stored-xss
Behoben in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in code-projects Student Information System version 1.0. This flaw allows attackers to inject malicious scripts into the application via manipulation of the firstname/lastname parameters within the /profile.php file. Successful exploitation could lead to session hijacking or defacement. The vulnerability affects version 1.0 and is resolved in version 1.0.1.
The primary impact of this XSS vulnerability is the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information, such as session cookies, which could then be used to impersonate the user. Attackers could also modify the content of the Student Information System, potentially defacing the site or redirecting users to malicious websites. Given the public availability of an exploit, the risk of exploitation is elevated.
This vulnerability is considered LOW severity according to CVSS. A public proof-of-concept exploit is available, indicating a higher risk of exploitation. The vulnerability was published on 2025-12-24. No KEV listing or confirmed exploitation campaigns are currently known.
Educational institutions and organizations utilizing the code-projects Student Information System version 1.0 are at risk. Specifically, those with publicly accessible instances of the system and those lacking robust input validation practices are particularly vulnerable.
• php / web:
grep -r "firstname|lastname" /profile.php• generic web:
curl -I http://your-student-info-system.com/profile.php?firstname=<script>alert(1)</script>• generic web:
curl -I http://your-student-info-system.com/profile.php?lastname=<img src=x onerror=alert(1)>disclosure
poc
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-15052 is to immediately upgrade to version 1.0.1 of the Student Information System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the firstname and lastname parameters in /profile.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /profile.php endpoint can provide an additional layer of defense. Monitor access logs for suspicious requests containing unusual characters or patterns in the firstname/lastname parameters.
Actualice el Student Information System a una versión parcheada o implemente medidas de sanitización de entradas en el archivo /profile.php para evitar la ejecución de código XSS. Valide y escape las variables firstname y lastname antes de mostrarlas en la página.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15052 is a cross-site scripting (XSS) vulnerability in Student Information System version 1.0, allowing attackers to inject malicious scripts via the firstname/lastname parameters in /profile.php.
If you are using Student Information System version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the firstname and lastname parameters.
A public proof-of-concept exploit is available, suggesting a potential for active exploitation.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-15052.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.