Plataforma
php
Componente
cves
Corrigido em
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Student Record Management System versions up to 1.0. This flaw allows attackers to inject malicious scripts into the application via manipulation of the 'Course Short Name' parameter within the /edit-course.php file. Successful exploitation could lead to session hijacking or other malicious actions, impacting users of the system. The vulnerability was publicly disclosed on 2026-03-02 and mitigation focuses on patching.
The XSS vulnerability in PHPGurukul Student Record Management System allows an attacker to inject arbitrary JavaScript code into the application's web pages. This code can then be executed in the context of a victim's browser when they visit a compromised page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The attack is remotely exploitable, meaning an attacker doesn't need to be on the same network as the server. Given the nature of XSS, the potential impact extends to any user interacting with the vulnerable page, potentially compromising sensitive data or system access.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The exploit is relatively straightforward, making it accessible to a wide range of attackers. No KEV listing or EPSS score is currently available. Public proof-of-concept code may emerge, further accelerating exploitation attempts. The vulnerability was disclosed on 2026-03-02.
Organizations using PHPGurukul Student Record Management System version 1.0, particularly those with publicly accessible instances, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as an attacker could potentially compromise other users' accounts through this vulnerability.
• php / web:
grep -r "/edit-course.php" /var/www/html/• php / web:
curl -I http://your-student-record-system.com/edit-course.php?Course Short Name=<script>alert(1)</script>• generic web:
curl -I http://your-student-record-system.com/edit-course.php?Course Short Name=<script>alert(1)</script> | grep -i 'script'disclosure
Status do Exploit
EPSS
0.03% (percentil 7%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-3402 is to upgrade to a patched version of PHPGurukul Student Record Management System. Since a fixed version is not specified, thoroughly review the vendor's security advisories and release notes for the latest updates. As a temporary workaround, implement strict input validation and output encoding on the 'Course Short Name' parameter in /edit-course.php to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly scan the application for XSS vulnerabilities using automated tools.
Atualizar para uma versão corrigida do sistema de gerenciamento de registros de alunos PHPGurukul. Se não houver uma versão corrigida disponível, recomenda-se sanitizar as entradas do usuário no arquivo edit-course.php, especialmente o argumento 'Nome Curto do Curso', para evitar a execução de código XSS. Também é possível implementar uma política de segurança de conteúdo (CSP) para mitigar o risco.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-3402 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Student Record Management System versions up to 1.0, allowing attackers to inject malicious scripts via the 'Course Short Name' parameter.
If you are using PHPGurukul Student Record Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of PHPGurukul Student Record Management System. Review vendor advisories for the latest updates and implement input validation as a temporary workaround.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity and implement mitigation strategies.
Consult the PHPGurukul website and security advisories for the official advisory regarding CVE-2026-3402.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.