Platform
php
Component
my-cve-reports
Opgelost in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in codingWithElias School Management System versions up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. This flaw, located in the 'Edit Student Info Page' component's /student-view.php file, allows attackers to inject malicious scripts. Public exploits are available, increasing the risk of exploitation. The system follows a rolling release model, so specific version details are not provided.
Successful exploitation of CVE-2025-13795 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including session hijacking, defacement of the School Management System's interface, and theft of sensitive user data such as student records, grades, and personal information. Given the public availability of an exploit, the risk of widespread exploitation is significant. The impact is amplified if the system is used to manage sensitive student data or is integrated with other critical systems.
CVE-2025-13795 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. The ease of exploitation, combined with the potential for data theft and system compromise, makes this a significant security concern.
Educational institutions and organizations utilizing the codingWithElias School Management System are at risk, particularly those relying on the system to manage sensitive student data. Organizations with legacy configurations or those who have not implemented robust input validation practices are especially vulnerable.
• php: Examine /student-view.php for inadequate input validation on the 'First Name' parameter. Search for code that directly outputs user input without proper sanitization.
// Example of vulnerable code
<?php
echo $_GET['first_name']; ?>• generic web: Monitor access logs for requests to /student-view.php with suspicious parameters in the 'first_name' field, such as those containing HTML tags or JavaScript code.
grep 'first_name=<script' /var/log/apache2/access.log• generic web: Check response headers for signs of XSS payloads being reflected back to the user. Use browser developer tools to inspect the response and look for unexpected script tags.
disclosure
poc
patch
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-13795 is to upgrade to version 1.0.1. Due to the rolling release nature of the School Management System, direct rollbacks may not be possible. As a temporary workaround, input validation and output encoding should be implemented on the 'First Name' field in /student-view.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /student-view.php endpoint can also provide some protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'First Name' field and verifying that the script does not execute.
Actualice a una versión parcheada del School Management System. Contacte al proveedor para obtener una versión corregida o aplique un parche que filtre la entrada del campo 'First Name' en el archivo /student-view.php para evitar la ejecución de código JavaScript malicioso.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-13795 is a cross-site scripting (XSS) vulnerability affecting School Management System versions up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01, allowing attackers to inject malicious scripts.
If you are using School Management System versions prior to 1.0.1, you are potentially affected by this vulnerability. The system follows a rolling release, so confirm your version against the affected range.
Upgrade to version 1.0.1. If upgrading is not immediately possible, implement input validation and output encoding on the 'First Name' field in /student-view.php as a temporary workaround.
Yes, a public proof-of-concept exploit is available, indicating a high probability of active exploitation.
Refer to the codingWithElias website or their official communication channels for the advisory related to CVE-2025-13795.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.