Platform
php
Component
student-grades-management-system
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Student Grades Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the 'Remarks' argument within the /grades.php endpoint, potentially compromising user sessions and data. The vulnerability is addressed in version 1.0.1, and users are strongly advised to upgrade.
Successful exploitation of CVE-2025-13349 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, redirection to phishing sites, and theft of sensitive information such as student grades and personal details. The impact is amplified if the system is used in an educational environment with sensitive student data. While the CVSS score is LOW, the potential for data compromise and disruption warrants immediate attention.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. The availability of a public exploit suggests a higher probability of active scanning and attacks targeting vulnerable instances of the Student Grades Management System. No KEV listing or EPSS score is currently available. The public disclosure date (2025-11-18) indicates a relatively short timeframe between discovery and public awareness.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13349 is to upgrade to version 1.0.1 of the Student Grades Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Remarks' field within the /grades.php endpoint to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Remarks field and verifying that it is properly sanitized.
Update the Student Grades Management System to a version later than 1.0, if available, or apply a patch that fixes the Cross-Site Scripting (XSS) vulnerability in the grades.php file. Validate and escape user inputs, especially the 'Remarks' argument, to prevent the injection of malicious code. If no updates are available, consider disabling or removing the vulnerable functionality.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13349 is a cross-site scripting (XSS) vulnerability affecting Student Grades Management System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /grades.php endpoint.
You are affected if you are using Student Grades Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Remarks' field in /grades.php.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation is possible.
Refer to the SourceCodester website or relevant security forums for the official advisory regarding CVE-2025-13349.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.