Platform
other
Component
student-homework-management-system
Fixed in
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
A problematic cross-site scripting (XSS) vulnerability has been identified in the itning Student Homework Management System, affecting versions 1.2.0 through 1.2.7. This flaw allows attackers to inject malicious scripts into the system, potentially compromising user data and system integrity. The vulnerability resides within the /shw_war/fileupload file of the Edit Job Page component, specifically through manipulation of the Course argument. A patch is available in version 1.2.8.
Successful exploitation of CVE-2025-3149 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including session hijacking, phishing attacks, and defacement of the Student Homework Management System interface. Sensitive user data, such as student grades, assignments, and personal information, could be exposed or modified. The remote nature of the vulnerability means attackers can exploit it from anywhere with network access to the system. Given the XSS nature, the potential for lateral movement is limited, but the blast radius extends to all users interacting with the affected pages.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to CVE-2025-3149, the availability of public information makes it a potential target for opportunistic attackers. The vulnerability was added to the NVD on 2025-04-03. The EPSS score is likely medium due to the public disclosure and relatively simple exploitation path.
Exploit Status
EPSS
0.18% (39% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-3149 is to upgrade the Student Homework Management System to version 1.2.8 or later, which contains the necessary fix. Since the product is no longer supported, upgrading may introduce compatibility issues. Before upgrading, thoroughly test the new version in a non-production environment. As a temporary workaround, implement strict input validation and output encoding on the Course argument within the /shw_war/fileupload file. Consider using a Web Application Firewall (WAF) to filter out malicious requests containing XSS payloads. Regularly monitor system logs for suspicious activity.
Since the product is no longer supported, the only solution is to stop using it and migrate to an alternative that receives security updates. If migration is not possible, it is recommended to isolate the system and apply additional security measures such as a firewall to mitigate the risk of exploitation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3149 is a cross-site scripting vulnerability affecting Student Homework Management System versions 1.2.0–1.2.7. It allows attackers to inject malicious scripts via the Course argument, potentially compromising user data.
You are affected if you are using Student Homework Management System versions 1.2.0 through 1.2.7. The product is no longer supported, so upgrading may present challenges.
Upgrade to version 1.2.8 or later. If upgrading is not feasible, implement input validation and output encoding as a temporary workaround.
While no confirmed active campaigns are known, the public disclosure increases the risk of exploitation by opportunistic attackers.
Due to the product being unsupported, a formal advisory may not be available. Check the itning website or relevant security forums for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.