Plataforma
php
Componente
online-class-and-exam-scheduling-system
Corrigido em
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in code-projects Online Class and Exam Scheduling System versions 1.0 through 1.0. This issue resides within the /Scheduling/scheduling/pages/profile.php file and can be triggered by manipulating the 'username' argument. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and data. A fix is available in version 1.0.1.
The XSS vulnerability in Online Class and Exam Scheduling System allows an attacker to inject arbitrary JavaScript code into the application. This can lead to various malicious actions, including stealing user cookies, redirecting users to phishing sites, and defacing the application's interface. An attacker could potentially gain access to sensitive user data, such as exam schedules and personal information. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the affected system. While the CVSS score is LOW, the potential for user data compromise and session hijacking necessitates prompt remediation.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. There are currently no known active campaigns targeting this specific vulnerability, but the availability of a public exploit increases the risk. The CVSS score of 3.5 indicates a LOW probability of exploitation, but proactive mitigation is still recommended. The vulnerability was published on 2025-03-04.
Educational institutions and organizations utilizing the Online Class and Exam Scheduling System are at risk, particularly those running version 1.0. Shared hosting environments where multiple users share the same server are also at increased risk, as a compromised user account could potentially be leveraged to attack other users on the same server.
• wordpress / composer / npm:
grep -r 'username' /Scheduling/scheduling/pages/profile.php• generic web:
curl -I http://your-server.com/Scheduling/scheduling/pages/profile.php?username=<script>alert(1)</script>disclosure
Status do Exploit
EPSS
0.09% (percentil 25%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-1955 is to upgrade to version 1.0.1 of the Online Class and Exam Scheduling System. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'username' parameter within the /Scheduling/scheduling/pages/profile.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review access logs for suspicious activity related to the /Scheduling/scheduling/pages/profile.php endpoint. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload via the username parameter and verifying that it is properly sanitized.
Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la inyección de código malicioso a través del parámetro 'username' en el archivo profile.php. Sanitizar las entradas del usuario es fundamental. Si no hay una versión parcheada disponible, considere deshabilitar o eliminar la funcionalidad vulnerable hasta que se pueda aplicar una solución.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-1955 is a cross-site scripting (XSS) vulnerability in Online Class and Exam Scheduling System versions 1.0-1.0, allowing attackers to inject malicious scripts via the username parameter.
You are affected if you are using Online Class and Exam Scheduling System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. If immediate upgrade is not possible, implement input validation and sanitization on the username parameter.
While no active campaigns are currently known, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the code-projects website or relevant security forums for the official advisory regarding CVE-2025-1955.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.