Listen to this Post
How the CVE Works
The vulnerability in School Fees Payment System 1.0 arises from improper input sanitization in the `/fees.php` file. The `transcation_remark` parameter is susceptible to stored XSS, allowing attackers to inject malicious JavaScript via crafted HTTP requests. When an admin or user views the transaction remarks, the script executes in their browser context. The attack is remotely exploitable without authentication, enabling session hijacking or defacement. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P) reflects its network-based attack vector, low attack complexity, and partial impact on integrity.
DailyCVE Form
Platform: School Fees Payment System
Version: 1.0
Vulnerability: Stored XSS
Severity: Medium
Date: 06/25/2025
Prediction: Patch by 07/15/2025
What Undercode Say
Check for XSS payloads in transcation_remark curl -X POST -d "transcation_remark=<script>alert(1)</script>" http://target/fees.php Exploit confirmation grep -r "transcation_remark" /var/www/html/
How Exploit
- Craft a POST request with malicious JavaScript in
transcation_remark. - Trigger payload when admin views transaction logs.
Protection from this CVE
- Sanitize `transcation_remark` input.
- Implement CSP headers.
Impact
- Session hijacking
- Unauthorized actions
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
