Plataforma
php
Componente
vulnerabilities
Corrigido em
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in CampCodes School Management Software versions 1.0 through 1.0. This flaw resides within the /chat/group/send component, specifically affecting the handling of the 'message' argument. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. A patch is available in version 1.0.1.
The XSS vulnerability in CampCodes School Management Software allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user cookies, redirect users to malicious websites, or deface the application's interface. The impact is amplified if the application is used to manage sensitive student or staff data, as an attacker could potentially gain access to this information. Given the location of the vulnerability within the chat functionality, attackers could craft messages containing malicious scripts that are then executed when other users view the chat history. This could lead to widespread compromise within the school environment.
This vulnerability has been publicly disclosed. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrants immediate attention. No known active exploitation campaigns have been reported at the time of writing, but the public disclosure increases the risk of opportunistic attacks. The vulnerability is not currently listed on CISA KEV.
Schools and educational institutions utilizing CampCodes School Management Software versions 1.0 through 1.0 are at risk. This includes organizations that rely on the software for student management, communication, and other administrative tasks. Shared hosting environments where multiple schools share the same server instance are particularly vulnerable, as a compromise of one school could potentially impact others.
• php / web:
curl -s -X POST "http://<target>/chat/group/send" -d "message=<script>alert('XSS')</script>" | grep "<script>alert('XSS')</script>"• generic web:
curl -s -X POST "http://<target>/chat/group/send" -d "message=<img src=x onerror=alert('XSS')>"; echo $response | grep "<img src=x onerror=alert('XSS')>"disclosure
Status do Exploit
EPSS
0.13% (percentil 33%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-0581 is to upgrade CampCodes School Management Software to version 1.0.1 or later, which contains the necessary fix. If upgrading immediately is not possible, consider implementing input validation and output encoding on the /chat/group/send endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this endpoint. Regularly review and update security policies to ensure proper input validation practices are enforced across the application.
Actualice el software School Management a una versión posterior a la 1.0, si existe, proporcionada por el proveedor. Si no hay una actualización disponible, revise y filtre las entradas del usuario en el archivo /chat/group/send para evitar la inyección de código malicioso. Considere deshabilitar la funcionalidad de chat hasta que se pueda aplicar una solución.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-0581 is a cross-site scripting (XSS) vulnerability affecting CampCodes School Management Software versions 1.0–1.0, allowing attackers to inject malicious scripts via the /chat/group/send endpoint.
You are affected if you are using CampCodes School Management Software versions 1.0–1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade CampCodes School Management Software to version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
No active exploitation campaigns have been confirmed, but the vulnerability is publicly disclosed and poses a risk.
Please refer to the CampCodes website or contact their support team for the official advisory regarding CVE-2025-0581.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.