Platform
php
Component
vulnerabilities
Fixed in
1.0.1
CVE-2025-1159 is a cross-site scripting (XSS) vulnerability discovered in CampCodes School Management Software. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The issue affects versions 1.0 through 1.0 and has been resolved in version 1.0.1.
Successful exploitation of CVE-2025-1159 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive student and staff data, including personal information, grades, and financial records. The impact is amplified if the application is used in a shared hosting environment, as a compromised instance could potentially affect other tenants.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No active exploitation campaigns have been publicly reported as of the publication date, but the availability of the vulnerability details makes it a potential target for opportunistic attackers. The vulnerability was disclosed on 2025-02-10.
Exploit Status
EPSS
0.25% (48% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1159 is to upgrade CampCodes School Management Software to version 1.0.1 or later. If upgrading is not immediately feasible, implement strict input validation and output encoding on the /academic-calendar endpoint to prevent malicious script injection. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out potentially harmful requests. Regularly review and update the application's security configuration to minimize the attack surface.
Update to a patched version of CampCodes School Management Software. If a patched version is not available, sanitize all user inputs in the /academic-calendar file to prevent the execution of malicious JavaScript code. Consider contacting the vendor for a patch.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1159 is a cross-site scripting vulnerability affecting CampCodes School Management Software versions 1.0-1.0, allowing attackers to inject malicious scripts via the /academic-calendar file.
If you are using CampCodes School Management Software version 1.0 or 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1 or later. As a temporary workaround, implement strict input validation and output encoding on the /academic-calendar endpoint.
While no active exploitation campaigns have been publicly reported, the vulnerability has been disclosed and may be targeted by opportunistic attackers.
Please refer to the CampCodes website or contact their support team for the official advisory regarding CVE-2025-1159.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.