Platform
php
Component
vulnerabilities
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Campcodes School Management Software versions 1.0 through 1.0. This flaw resides in the /create-id-card endpoint, specifically concerning the handling of the 'ID Card Title' parameter. Successful exploitation could allow an attacker to inject malicious scripts, potentially compromising user sessions and data integrity. A patch is available in version 1.0.1.
The XSS vulnerability in Campcodes School Management Software allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the software is used in a sensitive environment, such as a school with student data, as attackers could potentially gain access to confidential information. The remote nature of the exploit means it can be launched from anywhere with network access to the vulnerable system.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on user data warrant prompt remediation. No known active campaigns or KEV listing at the time of writing. Public proof-of-concept code is likely to emerge given the disclosure.
Exploit Status
EPSS
0.10% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0559 is to upgrade Campcodes School Management Software to version 1.0.1, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'ID Card Title' parameter to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security rules to reflect the latest threat landscape. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'ID Card Title' field and verifying that it is properly sanitized.
Update the School Management Software to a version later than 1.0, if available, that fixes the Cross-Site Scripting (XSS) vulnerability on the ID card creation page. If no update is available, consider disabling or removing the ID card creation functionality or implementing input sanitization measures for the 'ID Card Title' field to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0559 is a cross-site scripting (XSS) vulnerability in Campcodes School Management Software versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'ID Card Title' parameter.
If you are using Campcodes School Management Software version 1.0 or 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'ID Card Title' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Prompt patching is recommended.
Please refer to the Campcodes website or their official communication channels for the advisory related to CVE-2025-0559.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.