Listen to this Post
How CVE-2025-6477 Works
The vulnerability exists in the `/script/admin/system` component of SourceCodester Student Result Management System 1.0. An attacker can inject malicious JavaScript via the `School Name` parameter due to improper input sanitization. When an admin views the System Settings Page, the payload executes in their browser context, allowing session hijacking or unauthorized actions. The attack is remotely exploitable with low complexity but requires high privileges (admin access). The CVSS 4.0 vector (AV:N/AC:L/PR:H/UI:P) reflects these conditions.
DailyCVE Form
Platform: SourceCodester
Version: 1.0
Vulnerability: XSS
Severity: Medium
Date: 06/25/2025
Prediction: 07/15/2025
What Undercode Say
curl -X POST -d "School_Name=<script>alert(1)</script>" http://target/script/admin/system
UPDATE system_settings SET school_name = '<script>malicious_code</script>' WHERE id = 1;
How Exploit
1. Craft XSS payload
2. Inject via School Name
3. Trigger via admin view
Protection from this CVE
1. Input sanitization
2. Output encoding
3. CSP headers
Impact
1. Session hijacking
2. Admin compromise
3. Data theft
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
