Platform
php
Component
online-class-and-exam-scheduling-system
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in code-projects Online Class and Exam Scheduling System versions 1.0 through 1.0. This issue resides within the /Scheduling/scheduling/pages/profile.php file and can be triggered by manipulating the 'username' argument. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and data. A fix is available in version 1.0.1.
The XSS vulnerability in Online Class and Exam Scheduling System allows an attacker to inject arbitrary JavaScript code into the application. This can lead to various malicious actions, including stealing user cookies, redirecting users to phishing sites, and defacing the application's interface. An attacker could potentially gain access to sensitive user data, such as exam schedules and personal information. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the affected system. While the CVSS score is LOW, the potential for user data compromise and session hijacking necessitates prompt remediation.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. There are currently no known active campaigns targeting this specific vulnerability, but the availability of a public exploit increases the risk. The CVSS score of 3.5 indicates a LOW probability of exploitation, but proactive mitigation is still recommended. The vulnerability was published on 2025-03-04.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1955 is to upgrade to version 1.0.1 of the Online Class and Exam Scheduling System. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'username' parameter within the /Scheduling/scheduling/pages/profile.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review access logs for suspicious activity related to the /Scheduling/scheduling/pages/profile.php endpoint. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload via the username parameter and verifying that it is properly sanitized.
Update to a patched version or apply the necessary security measures to prevent the injection of malicious code through the 'username' parameter in the profile.php file. Sanitizing user input is essential. If a patched version is not available, consider disabling or removing the vulnerable functionality until a solution can be applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1955 is a cross-site scripting (XSS) vulnerability in Online Class and Exam Scheduling System versions 1.0-1.0, allowing attackers to inject malicious scripts via the username parameter.
You are affected if you are using Online Class and Exam Scheduling System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. If immediate upgrade is not possible, implement input validation and sanitization on the username parameter.
While no active campaigns are currently known, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the code-projects website or relevant security forums for the official advisory regarding CVE-2025-1955.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.