平台
php
组件
vulnerabilities
修复版本
1.0.1
CVE-2025-1159 is a cross-site scripting (XSS) vulnerability discovered in CampCodes School Management Software. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The issue affects versions 1.0 through 1.0 and has been resolved in version 1.0.1.
Successful exploitation of CVE-2025-1159 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive student and staff data, including personal information, grades, and financial records. The impact is amplified if the application is used in a shared hosting environment, as a compromised instance could potentially affect other tenants.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No active exploitation campaigns have been publicly reported as of the publication date, but the availability of the vulnerability details makes it a potential target for opportunistic attackers. The vulnerability was disclosed on 2025-02-10.
Schools and educational institutions utilizing CampCodes School Management Software versions 1.0-1.0 are at direct risk. Organizations relying on this software to manage student data and academic calendars should prioritize patching or implementing mitigation measures. Shared hosting environments where CampCodes is installed are particularly vulnerable, as a compromise could impact multiple tenants.
• php: Examine the /academic-calendar file for suspicious JavaScript code or unusual characters. Use grep to search for common XSS payloads (e.g., <script>, onload=).
grep -r '<script' /var/www/campcodes/academic-calendar• generic web: Monitor access logs for requests to /academic-calendar containing unusual parameters or payloads. Look for POST requests with suspicious data.
curl -s 'http://your-campcodes-server.com/academic-calendar?param=<script>alert(1)</script>' > /dev/null 2>&1disclosure
漏洞利用状态
EPSS
0.25% (48% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-1159 is to upgrade CampCodes School Management Software to version 1.0.1 or later. If upgrading is not immediately feasible, implement strict input validation and output encoding on the /academic-calendar endpoint to prevent malicious script injection. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out potentially harmful requests. Regularly review and update the application's security configuration to minimize the attack surface.
Actualizar a una versión parcheada del software de gestión escolar de CampCodes. Si no hay una versión parcheada disponible, desinfectar todas las entradas del usuario en el archivo /academic-calendar para evitar la ejecución de código JavaScript malicioso. Considerar contactar al proveedor para obtener un parche.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-1159 is a cross-site scripting vulnerability affecting CampCodes School Management Software versions 1.0-1.0, allowing attackers to inject malicious scripts via the /academic-calendar file.
If you are using CampCodes School Management Software version 1.0 or 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1 or later. As a temporary workaround, implement strict input validation and output encoding on the /academic-calendar endpoint.
While no active exploitation campaigns have been publicly reported, the vulnerability has been disclosed and may be targeted by opportunistic attackers.
Please refer to the CampCodes website or contact their support team for the official advisory regarding CVE-2025-1159.