Platform
php
Component
critical-security-vulnerability-report-stored-xss
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in code-projects Student Information System version 1.0. This flaw allows attackers to inject malicious scripts into the application via manipulation of the firstname/lastname parameters within the /profile.php file. Successful exploitation could lead to session hijacking or defacement. The vulnerability affects version 1.0 and is resolved in version 1.0.1.
The primary impact of this XSS vulnerability is the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information, such as session cookies, which could then be used to impersonate the user. Attackers could also modify the content of the Student Information System, potentially defacing the site or redirecting users to malicious websites. Given the public availability of an exploit, the risk of exploitation is elevated.
This vulnerability is considered LOW severity according to CVSS. A public proof-of-concept exploit is available, indicating a higher risk of exploitation. The vulnerability was published on 2025-12-24. No KEV listing or confirmed exploitation campaigns are currently known.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-15052 is to immediately upgrade to version 1.0.1 of the Student Information System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the firstname and lastname parameters in /profile.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /profile.php endpoint can provide an additional layer of defense. Monitor access logs for suspicious requests containing unusual characters or patterns in the firstname/lastname parameters.
Update the Student Information System to a patched version or implement input sanitization measures in the /profile.php file to prevent the execution of XSS (Cross-Site Scripting) code. Validate and escape the firstname and lastname variables before displaying them on the page.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15052 is a cross-site scripting (XSS) vulnerability in Student Information System version 1.0, allowing attackers to inject malicious scripts via the firstname/lastname parameters in /profile.php.
If you are using Student Information System version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the firstname and lastname parameters.
A public proof-of-concept exploit is available, suggesting a potential for active exploitation.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-15052.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.