CVE-2025-9438
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in 1000projects Online Project Report Submission and Evaluation System 1.0. Affected is an unknown function of the file /admin/add_student.php. The manipulation of the argument address results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-08-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9438
EUVD
EUVD-2025-25819
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
1000projects online_student_project_report_submission_and_evaluation_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include: 1) Implement proper output encoding of user inputs before rendering them on web pages using context-appropriate encoding methods; 2) Apply strict input validation and filtering to reject or sanitize malicious content such as script tags; 3) Deploy a strict Content Security Policy (CSP) to restrict allowable script sources and prevent execution of unauthorized scripts; 4) Set HttpOnly and Secure flags on cookies to protect against theft via JavaScript; 5) Conduct regular security audits to identify and fix vulnerabilities promptly. [1]

Executive Summary

CVE-2025-9438 is a Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Online Project Report Submission and Evaluation System, specifically in the /admin/add_student.php file. The vulnerability occurs because the application outputs user input from the 'address' parameter directly to the web page without proper encoding or filtering. This allows attackers to inject malicious JavaScript code that executes in the victim's browser, potentially stealing cookies, session tokens, or performing unauthorized actions. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary scripts in your browser when you visit a maliciously crafted page. This can lead to theft of sensitive information such as cookies and session tokens, unauthorized actions performed on your behalf, defacement of web pages, redirection to malicious sites, and potential control over your browser. It poses a significant threat to user privacy and system security. [1]

Detection Guidance

This vulnerability can be detected by sending a crafted HTTP request to the vulnerable endpoint and observing if the injected script executes. For example, you can use curl to send a request with a malicious payload in the 'address' parameter: curl -X POST "http://<target-ip>/rse/admin/add_student.php" --data "name=1&phone=2019&regno=1&dob=1&gender=1&address=<script>alert('XSS')</script>&add=add". If the response contains the script unencoded and it executes in a browser, the vulnerability is present. Additionally, web vulnerability scanners that test for reflected XSS can be used to detect this issue. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart