CVE-2025-15052
Unknown Unknown - Not Provided
Remote XSS in code-projects Student Information System /profile.php

Publication date: 2025-12-24

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15052
EUVD
EUVD-2025-205042
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fabian_ros student_information_system 1.0
code-projects student_information_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15052 is a Stored Cross-Site Scripting (XSS) vulnerability in the Student Information System version 1.0, specifically in the /profile.php file. It occurs because the firstname and lastname input fields are not properly sanitized or encoded before being stored and displayed. This allows attackers to inject malicious JavaScript code that is stored on the server and executed in other users' browsers when they view affected profiles, potentially compromising user data and session integrity. [1, 2, 3]

Impact Analysis

This vulnerability can lead to session cookie theft, account takeover, unauthorized actions such as password changes or content publishing, forced advertisement display, spam sending, and using the victim's machine for distributed denial-of-service (DDoS) attacks. Attackers can execute malicious scripts in the context of other users' browsers remotely, potentially compromising data integrity and user accounts. [2, 3]

Detection Guidance

This vulnerability can be detected by searching for the presence of the vulnerable /profile.php page and testing the firstname and lastname parameters for cross-site scripting (XSS) by injecting typical XSS payloads such as <script>alert(document.cookie)</script>. Google dorking can be used to find vulnerable targets using queries like "inurl:profile.php". Additionally, you can manually test by submitting payloads in the firstname and lastname fields and observing if the script executes when viewing the profile or search results pages. There is no specific network command provided, but manual or automated web application testing tools can be used to inject and detect XSS payloads in these parameters. [1, 2]

Mitigation Strategies

Immediate mitigation steps include: 1) Implement context-sensitive output encoding of all user-supplied data before rendering it in HTML, such as converting < and > characters to their HTML entities. 2) Use robust input sanitization libraries like HTML Purifier for PHP to allow only safe HTML tags and remove malicious scripts. 3) Implement a strict Content Security Policy (CSP) to restrict the sources of executable scripts and reduce the impact of any remaining vulnerabilities. 4) Consider replacing the affected software with an alternative product if possible. These steps help prevent malicious scripts from being stored or executed in users' browsers. [2, 1]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows for cross-site scripting attacks that can lead to session hijacking, unauthorized actions, and potential data compromise, it could indirectly affect compliance by risking the confidentiality and integrity of personal or sensitive data managed by the Student Information System. No direct statements about compliance impact are given. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15052. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart