CVE-2025-15052
Remote XSS in code-projects Student Information System /profile.php
Publication date: 2025-12-24
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabian_ros | student_information_system | 1.0 |
| code-projects | student_information_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15052 is a Stored Cross-Site Scripting (XSS) vulnerability in the Student Information System version 1.0, specifically in the /profile.php file. It occurs because the firstname and lastname input fields are not properly sanitized or encoded before being stored and displayed. This allows attackers to inject malicious JavaScript code that is stored on the server and executed in other users' browsers when they view affected profiles, potentially compromising user data and session integrity. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement context-sensitive output encoding of all user-supplied data before rendering it in HTML, such as converting < and > characters to their HTML entities. 2) Use robust input sanitization libraries like HTML Purifier for PHP to allow only safe HTML tags and remove malicious scripts. 3) Implement a strict Content Security Policy (CSP) to restrict the sources of executable scripts and reduce the impact of any remaining vulnerabilities. 4) Consider replacing the affected software with an alternative product if possible. These steps help prevent malicious scripts from being stored or executed in users' browsers. [2, 1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows for cross-site scripting attacks that can lead to session hijacking, unauthorized actions, and potential data compromise, it could indirectly affect compliance by risking the confidentiality and integrity of personal or sensitive data managed by the Student Information System. No direct statements about compliance impact are given. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to session cookie theft, account takeover, unauthorized actions such as password changes or content publishing, forced advertisement display, spam sending, and using the victim's machine for distributed denial-of-service (DDoS) attacks. Attackers can execute malicious scripts in the context of other users' browsers remotely, potentially compromising data integrity and user accounts. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable /profile.php page and testing the firstname and lastname parameters for cross-site scripting (XSS) by injecting typical XSS payloads such as <script>alert(document.cookie)</script>. Google dorking can be used to find vulnerable targets using queries like "inurl:profile.php". Additionally, you can manually test by submitting payloads in the firstname and lastname fields and observing if the script executes when viewing the profile or search results pages. There is no specific network command provided, but manual or automated web application testing tools can be used to inject and detect XSS payloads in these parameters. [1, 2]