Plattform
php
Komponente
cve_hunter
Behoben in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Advanced School Management System versions 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to data theft and session hijacking. The vulnerability resides in the /index.php/notice/addNotice file, specifically within an unknown function related to the 'noticeSubject' parameter. A fix is available in version 1.0.1.
Successful exploitation of CVE-2025-9306 allows an attacker to inject arbitrary JavaScript code into the Advanced School Management System. This code can then be executed in the context of a user's browser when they visit a crafted URL. The immediate impact is the potential for session hijacking, where an attacker can steal a user's session cookie and impersonate them. Furthermore, attackers could use this vulnerability to steal sensitive data displayed on the page, such as student records or administrative information. The attack is remotely exploitable, expanding the potential attack surface.
This vulnerability is publicly disclosed and a proof-of-concept exploit is available. It has been added to the CISA KEV catalog, indicating a medium probability of exploitation. The ease of exploitation, combined with the potential impact, warrants prompt remediation.
Schools and educational institutions using the Advanced School Management System version 1.0 are at significant risk. Organizations relying on this system for managing student data and administrative tasks should prioritize patching. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially compromise other users through this vulnerability.
• generic web: Use curl or wget to test the /index.php/notice/addNotice endpoint with a malicious payload (e.g., <script>alert('XSS')</script>).
curl -X POST -d "noticeSubject=<script>alert('XSS')</script>" http://your-school-management-system/index.php/notice/addNotice• generic web: Examine access and error logs for suspicious requests containing XSS payloads.
• php: Review the /index.php/notice/addNotice file for inadequate input validation or output encoding of the 'noticeSubject' parameter.
disclosure
poc
patch
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-9306 is to upgrade to version 1.0.1 of the Advanced School Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'noticeSubject' parameter within the /index.php/notice/addNotice file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly scan the application for XSS vulnerabilities using automated tools.
Aktualisieren Sie das Advanced School Management System auf eine gepatchte Version, die die Cross-Site Scripting (XSS)-Schwachstelle behebt. Wenn keine gepatchte Version verfügbar ist, sollten Sie die betroffene Komponente (addNotice) deaktivieren oder entfernen, bis eine Lösung veröffentlicht wird. Als vorübergehende Maßnahme implementieren Sie die Validierung und Bereinigung von Eingaben im Feld 'noticeSubject', um die Einspeisung von bösartigem Code zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-9306 is a cross-site scripting (XSS) vulnerability affecting Advanced School Management System versions 1.0, allowing attackers to inject malicious scripts via the noticeSubject parameter.
If you are using Advanced School Management System version 1.0, you are vulnerable. Upgrade to version 1.0.1 to resolve the issue.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'noticeSubject' parameter.
CVE-2025-9306 is publicly disclosed and a proof-of-concept exploit is available, indicating a potential for active exploitation.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2025-9306.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.