CVE-2026-4356
Cross-Site Scripting in itsourcecode University Management System /add_result.php
Publication date: 2026-03-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| itsourcecode | university_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4356 is a Cross-Site Scripting (XSS) vulnerability found in the itsourcecode University Management System version 1.0, specifically in the /add_result.php file involving the 'vr' parameter."}, {'type': 'paragraph', 'content': "The vulnerability occurs because the application does not properly validate or encode user-supplied input in this parameter, allowing attackers to inject malicious scripts that execute in the victim's browser."}, {'type': 'paragraph', 'content': 'This flaw enables attackers to perform unauthorized actions such as stealing sensitive information and executing operations on behalf of the victim.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "Exploitation of this vulnerability can lead to attackers injecting and executing arbitrary JavaScript code in a victim's browser."}, {'type': 'list_item', 'content': 'Stealing sensitive information such as cookies and session tokens.'}, {'type': 'list_item', 'content': 'Performing unauthorized actions on behalf of the victim.'}, {'type': 'list_item', 'content': 'Defacing web pages or redirecting users to malicious sites.'}, {'type': 'list_item', 'content': "Potentially gaining control over the victim's browser, compromising user privacy and system security."}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the /add_result.php page of the itsourcecode University Management System version 1.0 for improper handling of the 'vr' parameter. Specifically, you can attempt to inject a simple XSS payload such as <script>alert('XSS')</script> into the 'vr' parameter and observe if the script executes in the browser."}, {'type': 'paragraph', 'content': 'A practical detection method includes using a web browser or tools like curl or wget to send crafted requests to the vulnerable URL and check for reflected script execution.'}, {'type': 'list_item', 'content': 'Example curl command to test for XSS: curl -i "http://<target>/add_result.php?vr=<script>alert(\'XSS\')</script>"'}, {'type': 'list_item', 'content': 'Use Google dorking to identify potentially vulnerable targets with the query: inurl:add_result.php'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps for this XSS vulnerability include implementing proper output encoding and input validation for the 'vr' parameter in /add_result.php to prevent execution of injected scripts."}, {'type': 'list_item', 'content': 'Apply output encoding based on context (HTML, JavaScript, CSS, URL) to ensure user inputs are treated as text, not executable code.'}, {'type': 'list_item', 'content': 'Enforce strict input validation and filtering to accept only expected input formats and sanitize or reject malicious content such as script tags.'}, {'type': 'list_item', 'content': 'Implement a strict Content Security Policy (CSP) to restrict sources of executable scripts and prevent unauthorized inline or external script execution.'}, {'type': 'list_item', 'content': 'Set HttpOnly and Secure flags on cookies to prevent JavaScript access and ensure cookies are transmitted only over HTTPS.'}, {'type': 'list_item', 'content': 'Conduct regular security audits and code reviews to detect and remediate XSS and other vulnerabilities promptly.'}, {'type': 'paragraph', 'content': 'If immediate code fixes are not possible, consider restricting access to the vulnerable page or replacing the affected product with a secure alternative.'}] [2, 1]