प्लेटफ़ॉर्म
php
घटक
vulnerabilities
में ठीक किया गया
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in CampCodes School Management Software versions 1.0 through 1.0. This vulnerability resides within the Photo Gallery Page component, specifically affecting the handling of the Description argument in the /photo-gallery file. Successful exploitation could allow an attacker to inject malicious scripts, potentially compromising user sessions and data. A patch is available in version 1.0.1.
The XSS vulnerability in CampCodes School Management Software allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the software is used in a sensitive environment, such as one handling student data, as attackers could potentially gain access to confidential information. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the application.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on user data warrant prompt remediation. No known active campaigns targeting this specific vulnerability have been reported at the time of writing, but the public availability of the exploit increases the risk of opportunistic attacks. The vulnerability was published on 2025-01-18.
Schools and educational institutions using CampCodes School Management Software are at risk. Specifically, organizations relying on the software to manage student data or sensitive information are particularly vulnerable. Shared hosting environments where multiple users share the same server resources could also be affected, as a successful exploit could potentially impact other applications hosted on the same server.
• generic web: Use curl to test the /photo-gallery endpoint with a malicious payload in the Description parameter. Examine the response for signs of script execution.
curl 'http://<target>/photo-gallery?Description=<script>alert("XSS")</script>'• generic web: Check access and error logs for suspicious requests to /photo-gallery containing unusual characters or script tags. • php: Examine the source code of the Photo Gallery Page component for insecure handling of user input in the Description field. Look for missing or inadequate sanitization routines.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.10% (26% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-0560 is to upgrade CampCodes School Management Software to version 1.0.1, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the Description field to prevent the injection of malicious scripts. Web application firewalls (WAFs) can also be configured to filter out potentially malicious requests targeting the /photo-gallery endpoint. Regularly review and update security rules to ensure they are effective against emerging threats.
Actualizar a una versión parcheada del software de gestión escolar. Si no hay una versión disponible, desinfectar las entradas del usuario en la página de la galería de fotos, especialmente el campo 'Descripción', para evitar la ejecución de scripts maliciosos. Considere deshabilitar temporalmente la funcionalidad de la galería de fotos hasta que se pueda aplicar una solución adecuada.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-0560 is a cross-site scripting (XSS) vulnerability affecting CampCodes School Management Software versions 1.0–1.0, allowing attackers to inject malicious scripts via the Description argument in the /photo-gallery file.
If you are using CampCodes School Management Software version 1.0 or 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1 of CampCodes School Management Software. As a temporary workaround, implement input validation and sanitization on the Description field.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Prompt remediation is advised.
Please refer to the CampCodes website or contact their support team for the official advisory regarding CVE-2025-0560.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।