Plataforma
php
Componente
vulnerabilities
Corrigido em
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Campcodes School Management Software versions 1.0 through 1.0. This flaw resides in the /create-id-card endpoint, specifically concerning the handling of the 'ID Card Title' parameter. Successful exploitation could allow an attacker to inject malicious scripts, potentially compromising user sessions and data integrity. A patch is available in version 1.0.1.
The XSS vulnerability in Campcodes School Management Software allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the software is used in a sensitive environment, such as a school with student data, as attackers could potentially gain access to confidential information. The remote nature of the exploit means it can be launched from anywhere with network access to the vulnerable system.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on user data warrant prompt remediation. No known active campaigns or KEV listing at the time of writing. Public proof-of-concept code is likely to emerge given the disclosure.
Schools and educational institutions using Campcodes School Management Software versions 1.0–1.0 are at immediate risk. Organizations relying on this software to manage student data or other sensitive information should prioritize patching. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as a compromise of one user could potentially impact others.
• php / web: Examine access logs for requests to /create-id-card with unusual or suspicious characters in the 'ID Card Title' parameter. Use grep to search for common XSS payloads within the application's codebase.
• generic web: Use curl to test the /create-id-card endpoint with a simple XSS payload (e.g., <script>alert(1)</script>). Check the response for signs of script execution.
curl -X POST -d "ID Card Title=<script>alert(1)</script>" http://your-school-management-software/create-id-carddisclosure
Status do Exploit
EPSS
0.10% (percentil 26%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-0559 is to upgrade Campcodes School Management Software to version 1.0.1, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'ID Card Title' parameter to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security rules to reflect the latest threat landscape. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'ID Card Title' field and verifying that it is properly sanitized.
Actualice el software School Management Software a una versión posterior a la 1.0, si está disponible, que corrija la vulnerabilidad de Cross-Site Scripting (XSS) en la página de creación de tarjetas de identificación. Si no hay una actualización disponible, considere deshabilitar o eliminar la funcionalidad de creación de tarjetas de identificación o implementar medidas de saneamiento de entrada para el campo 'ID Card Title' para prevenir la inyección de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-0559 is a cross-site scripting (XSS) vulnerability in Campcodes School Management Software versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'ID Card Title' parameter.
If you are using Campcodes School Management Software version 1.0 or 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'ID Card Title' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Prompt patching is recommended.
Please refer to the Campcodes website or their official communication channels for the advisory related to CVE-2025-0559.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.