CVE-2025-6475
BaseFortify
Publication date: 2025-06-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| razormist | student_result_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the SourceCodester Student Result Management System 1.0, specifically in the Manage Students module. It occurs because the application does not properly sanitize user input in the First Name field. An attacker with valid administrative access can inject malicious JavaScript code into this field, which is then stored and executed every time the students listing page is loaded. This allows the attacker to run arbitrary JavaScript in the context of the application. [1]
How can this vulnerability impact me? :
The vulnerability can lead to execution of attacker-controlled JavaScript code in the browser of administrative users. This can result in session cookie theft, unauthorized actions performed on behalf of the administrator, or content defacement within the application. Essentially, it compromises the security and integrity of the administrative interface. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if the application improperly sanitizes input in the First Name field of the Manage Students module. A practical detection method is to log in with administrative credentials, navigate to /srms/script/admin/manage_students, edit a student record, and inject a test payload such as <script>alert('PoC VulDB SRMS')</script> into the First Name field. Then, observe if the script executes on the /srms/script/admin/students page. There are no specific network commands provided, but manual testing through the web interface as described is the suggested approach. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting administrative access to trusted users only, avoiding input of untrusted data into the First Name field, and applying input validation and sanitization to prevent script injection. Additionally, monitoring and removing any malicious scripts already stored in the student records can help. Since the vulnerability requires administrative access to exploit, limiting and auditing admin privileges is critical until a patch or update is available. [1]