Executive Summary

CVE-2026-4972 is a Stored Cross-Site Scripting (XSS) vulnerability in the Online Reviewer System version 1.0. It occurs due to improper handling of user input in the description parameter within the btn_functions.php file. Specifically, user input from the description field is directly inserted into the database without validation or sanitization. When this stored input is later displayed in the web interface without proper HTML escaping, it allows malicious HTML or JavaScript code to execute in the browsers of users who view the affected content.

This vulnerability arises during an action=update POST request where the description parameter is processed insecurely. Because the malicious payload is stored server-side, it executes persistently whenever the compromised question is viewed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts including:

• Execution of arbitrary JavaScript code in the browsers of users viewing the compromised content.
• Theft of authentication cookies which can lead to session hijacking.
• Hijacking of administrator sessions allowing unauthorized control over the application.
• Unauthorized actions performed within the application by attackers.
• Injection of malicious content into exam questions or other displayed data.
• Phishing attacks targeting users of the application by exploiting the injected scripts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the affected endpoint for stored cross-site scripting (XSS) in the description parameter via HTTP POST requests.

A practical detection method is to send a crafted POST request to the vulnerable endpoint with a payload in the description parameter that triggers a JavaScript execution when the stored data is viewed.

For example, using curl to test the vulnerability:

• curl -X POST -d "action=update&description=<details/open/ontoggle=prompt(origin)>" https://yourserver/OnlineReviewerSystem_PHP/reviewer/system/system/admins/assessments/databank/btn_functions.php

If the payload executes (e.g., a JavaScript prompt appears) when viewing the affected question in the web interface, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating user input before storing it in the database and encoding output before rendering it in the web interface.

• Use output encoding functions such as htmlspecialchars() in PHP to encode user data before display, e.g., echo htmlspecialchars($row['question_desc'], ENT_QUOTES, 'UTF-8');
• Implement prepared statements for database queries to avoid unsafe query construction, for example: $stmt = $conn->prepare("UPDATE questions SET question_desc = ? WHERE q_id = ?"); $stmt->execute([$description, $q_id]);
• Apply input validation and sanitization on the description parameter to reject or clean malicious input.
• Deploy a Content Security Policy (CSP) header to restrict script execution, e.g., Content-Security-Policy: default-src 'self'

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows execution of arbitrary JavaScript in victim browsers, which can lead to theft of authentication cookies, hijacking of administrator sessions, unauthorized actions within the application, injection of malicious content, and phishing attacks targeting users.

Such security issues can compromise the confidentiality and integrity of user data, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information against unauthorized access and attacks.

Therefore, this vulnerability may negatively impact compliance with these standards by exposing user data to unauthorized access and manipulation.

Useful 0 Not Useful 0