Plataforma
php
Corrigido em
2.0.1
A cross-site scripting (XSS) vulnerability has been identified in code-projects Student Information System version 2.0. This flaw resides within an unknown function of the /editprofile.php file, allowing attackers to inject malicious scripts. Affected versions include 2.0, and a fix is available in version 2.0.1.
Successful exploitation of CVE-2025-13245 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to session hijacking, credential theft, defacement of the Student Information System, or redirection to malicious websites. The attacker could potentially gain access to sensitive student data, including personal information, grades, and financial details. Given the remote accessibility of the vulnerability, the blast radius extends to all users of the affected Student Information System.
A public proof-of-concept (PoC) for CVE-2025-13245 is available, indicating a relatively low barrier to entry for exploitation. The vulnerability is not currently listed on CISA KEV. The CVSS score of 3.5 (LOW) reflects the ease of exploitation and limited impact, but the availability of a PoC suggests potential for opportunistic attacks.
Educational institutions and organizations utilizing the code-projects Student Information System 2.0 are at risk. Specifically, those with limited security resources or those who have not implemented robust input validation practices are particularly vulnerable. Shared hosting environments where multiple users share the same server resources could also amplify the impact of this vulnerability.
• php / web:
grep -r "/editprofile.php" /var/www/html/• generic web:
curl -I <student_information_system_url>/editprofile.php | grep -i "X-XSS-Protection"disclosure
Status do Exploit
EPSS
0.05% (percentil 15%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-13245 is to upgrade to version 2.0.1 of the Student Information System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /editprofile.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Regularly review and update input validation routines to prevent future XSS vulnerabilities. After upgrade, confirm functionality by testing the /editprofile.php page with various input types.
Actualice el sistema Student Information System a una versión parcheada que solucione la vulnerabilidad XSS en el archivo editprofile.php. Si no hay una versión parcheada disponible, revise y filtre las entradas del usuario en editprofile.php para evitar la inyección de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-13245 is a cross-site scripting (XSS) vulnerability in Student Information System 2.0, allowing attackers to inject malicious scripts via the /editprofile.php file.
Yes, if you are using Student Information System version 2.0, you are affected by this vulnerability. Upgrade to version 2.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 2.0.1. As a temporary workaround, implement input validation and output encoding on the /editprofile.php page.
While there is no confirmed widespread exploitation, a public proof-of-concept exists, suggesting potential for opportunistic attacks.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-13245.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.