CVE-2025-41107
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-10

Last updated on: 2025-11-14

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-10
Last Modified
2025-11-14
Generated
2026-05-07
AI Q&A
2025-11-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-41107
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qdocs smart_school 7.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-41107 is a Stored Cross-Site Scripting (XSS) vulnerability in Smart School version 7.0. It occurs because the application does not properly validate user input sent via POST requests to the '/online_admission' endpoint, specifically in parameters like 'firstname', 'lastname', and 'guardian_name'. This allows a remote attacker to inject malicious scripts that get stored and later executed in the context of an authenticated user's browser, potentially stealing session cookies. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing a remote attacker to execute malicious scripts in the browser of an authenticated user. This can lead to theft of session cookies, which may enable the attacker to hijack user sessions and gain unauthorized access to the system or sensitive information. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring POST requests to the '/online_admission' endpoint of Smart School 7.0, specifically inspecting parameters such as 'firstname', 'lastname', and 'guardian_name' for suspicious or malicious script content indicative of stored XSS. Commands to detect this could include using tools like curl or Burp Suite to send crafted POST requests and observe responses, or using network monitoring tools to capture and analyze HTTP traffic targeting the vulnerable endpoint. For example, a curl command to test might be: curl -X POST -d "firstname=<script>alert(1)</script>&lastname=test&guardian_name=test" https://target/school/online_admission. Additionally, web application scanners that detect XSS vulnerabilities can be used to automate detection. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the '/online_admission' endpoint to trusted users only, implementing input validation and sanitization on the server side to prevent malicious scripts from being stored, and educating users to avoid clicking on suspicious links. Since no patch or solution has been reported yet, applying web application firewalls (WAF) rules to block suspicious payloads targeting the vulnerable parameters can help reduce risk. Monitoring and logging access to the endpoint for unusual activity is also recommended. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart