Platform
php
Component
vulnerabilities
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in CampCodes School Management Software versions 1.0 through 1.0. This vulnerability resides within the Photo Gallery Page component, specifically affecting the handling of the Description argument in the /photo-gallery file. Successful exploitation could allow an attacker to inject malicious scripts, potentially compromising user sessions and data. A patch is available in version 1.0.1.
The XSS vulnerability in CampCodes School Management Software allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the software is used in a sensitive environment, such as one handling student data, as attackers could potentially gain access to confidential information. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the application.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on user data warrant prompt remediation. No known active campaigns targeting this specific vulnerability have been reported at the time of writing, but the public availability of the exploit increases the risk of opportunistic attacks. The vulnerability was published on 2025-01-18.
Exploit Status
EPSS
0.10% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0560 is to upgrade CampCodes School Management Software to version 1.0.1, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the Description field to prevent the injection of malicious scripts. Web application firewalls (WAFs) can also be configured to filter out potentially malicious requests targeting the /photo-gallery endpoint. Regularly review and update security rules to ensure they are effective against emerging threats.
Update to a patched version of the school management software. If no version is available, sanitize user inputs on the photo gallery page, especially the 'Description' field, to prevent the execution of malicious scripts. Consider temporarily disabling the photo gallery functionality until a proper solution can be applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0560 is a cross-site scripting (XSS) vulnerability affecting CampCodes School Management Software versions 1.0–1.0, allowing attackers to inject malicious scripts via the Description argument in the /photo-gallery file.
If you are using CampCodes School Management Software version 1.0 or 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1 of CampCodes School Management Software. As a temporary workaround, implement input validation and sanitization on the Description field.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Prompt remediation is advised.
Please refer to the CampCodes website or contact their support team for the official advisory regarding CVE-2025-0560.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.