SourceCodester Student Grades Management System Add New Grade grades.php cross site scripting
अनुवाद हो रहा है…प्लेटफ़ॉर्म
php
घटक
student-grades-management-system
में ठीक किया गया
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Student Grades Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the 'Remarks' argument within the /grades.php endpoint, potentially compromising user sessions and data. The vulnerability is addressed in version 1.0.1, and users are strongly advised to upgrade.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
Successful exploitation of CVE-2025-13349 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, redirection to phishing sites, and theft of sensitive information such as student grades and personal details. The impact is amplified if the system is used in an educational environment with sensitive student data. While the CVSS score is LOW, the potential for data compromise and disruption warrants immediate attention.
शोषण संदर्भअनुवाद हो रहा है…
This vulnerability has been publicly disclosed, increasing the risk of exploitation. The availability of a public exploit suggests a higher probability of active scanning and attacks targeting vulnerable instances of the Student Grades Management System. No KEV listing or EPSS score is currently available. The public disclosure date (2025-11-18) indicates a relatively short timeframe between discovery and public awareness.
कौन जोखिम में हैअनुवाद हो रहा है…
Educational institutions and organizations utilizing the Student Grades Management System are at risk, particularly those relying on older, unpatched versions (1.0–1.0). Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially impact others.
पहचान के चरणअनुवाद हो रहा है…
• php: Examine the /grades.php file for inadequate input sanitization of the 'Remarks' parameter. Search for instances where user-supplied data is directly outputted to the HTML without proper encoding.
grep -r '$_GET["Remarks"]' /var/www/html/grades.php• generic web: Monitor access logs for unusual requests to /grades.php with suspicious parameters in the 'Remarks' field. Look for patterns indicative of XSS payloads.
grep "<script" /var/log/apache2/access.log | grep /grades.phpहमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.06% (18% शतमक)
CISA SSVC
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- निम्न — कोई भी वैध उपयोगकर्ता खाता पर्याप्त है।
- User Interaction
- आवश्यक — पीड़ित को फ़ाइल खोलनी, लिंक पर क्लिक करना या पेज पर जाना होगा।
- Scope
- अपरिवर्तित — प्रभाव केवल कमज़ोर घटक तक सीमित।
- Confidentiality
- कोई नहीं — गोपनीयता पर कोई प्रभाव नहीं।
- Integrity
- निम्न — हमलावर सीमित दायरे में कुछ डेटा बदल सकता है।
- Availability
- कोई नहीं — उपलब्धता पर कोई प्रभाव नहीं।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2025-13349 is to upgrade to version 1.0.1 of the Student Grades Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Remarks' field within the /grades.php endpoint to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Remarks field and verifying that it is properly sanitized.
कैसे ठीक करेंअनुवाद हो रहा है…
Actualice el sistema Student Grades Management System a una versión posterior a la 1.0, si existe, o aplique un parche que corrija la vulnerabilidad de Cross-Site Scripting (XSS) en el archivo grades.php. Valide y escape las entradas del usuario, especialmente el argumento 'Remarks', para evitar la inyección de código malicioso. Si no hay actualizaciones disponibles, considere deshabilitar o eliminar la funcionalidad vulnerable.
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2025-13349 — XSS in Student Grades Management System?
CVE-2025-13349 is a cross-site scripting (XSS) vulnerability affecting Student Grades Management System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /grades.php endpoint.
Am I affected by CVE-2025-13349 in Student Grades Management System?
You are affected if you are using Student Grades Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
How do I fix CVE-2025-13349 in Student Grades Management System?
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Remarks' field in /grades.php.
Is CVE-2025-13349 being actively exploited?
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation is possible.
Where can I find the official Student Grades Management System advisory for CVE-2025-13349?
Refer to the SourceCodester website or relevant security forums for the official advisory regarding CVE-2025-13349.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।