CVE-2025-9438
BaseFortify
Publication date: 2025-08-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1000projects | online_student_project_report_submission_and_evaluation_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9438 is a Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Online Project Report Submission and Evaluation System, specifically in the /admin/add_student.php file. The vulnerability occurs because the application outputs user input from the 'address' parameter directly to the web page without proper encoding or filtering. This allows attackers to inject malicious JavaScript code that executes in the victim's browser, potentially stealing cookies, session tokens, or performing unauthorized actions. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary scripts in your browser when you visit a maliciously crafted page. This can lead to theft of sensitive information such as cookies and session tokens, unauthorized actions performed on your behalf, defacement of web pages, redirection to malicious sites, and potential control over your browser. It poses a significant threat to user privacy and system security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted HTTP request to the vulnerable endpoint and observing if the injected script executes. For example, you can use curl to send a request with a malicious payload in the 'address' parameter: curl -X POST "http://<target-ip>/rse/admin/add_student.php" --data "name=1&phone=2019®no=1&dob=1&gender=1&address=<script>alert('XSS')</script>&add=add". If the response contains the script unencoded and it executes in a browser, the vulnerability is present. Additionally, web vulnerability scanners that test for reflected XSS can be used to detect this issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement proper output encoding of user inputs before rendering them on web pages using context-appropriate encoding methods; 2) Apply strict input validation and filtering to reject or sanitize malicious content such as script tags; 3) Deploy a strict Content Security Policy (CSP) to restrict allowable script sources and prevent execution of unauthorized scripts; 4) Set HttpOnly and Secure flags on cookies to protect against theft via JavaScript; 5) Conduct regular security audits to identify and fix vulnerabilities promptly. [1]