Compliance Impact

The reflected XSS vulnerability in the School Management System's admin interface poses a high confidentiality risk by potentially exposing administrator session cookies and authentication tokens. This exposure can lead to unauthorized access and control over administrative functions.

Such unauthorized access and data exposure can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate the protection of sensitive personal and administrative data against unauthorized disclosure and manipulation.

Therefore, this vulnerability could lead to violations of data protection requirements, increasing the risk of regulatory penalties and loss of trust.

Useful 0 Not Useful 0

Executive Summary

CVE-2025-65134 is a reflected Cross-Site Scripting (XSS) vulnerability found in version 1.0 of the School Management System by manikandan580.

The vulnerability occurs in the /studentms/admin/contact-us.php file, where the email POST parameter is reflected unsafely into the admin interface response without any sanitization or output encoding.

This allows an attacker to inject arbitrary JavaScript code that executes in the browser of any administrator who submits or processes the crafted form input.

• Vulnerability Type: Reflected XSS (CWE-79), non-persistent.
• Attack Vector: Remote/network; no authentication required to submit the malicious POST request, but admin interaction is needed for full exploitation.
• Root Cause: The email parameter is directly embedded into the HTTP response body without escaping special HTML or JavaScript characters.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including high confidentiality and integrity risks.

• Confidentiality Risk: An attacker can steal administrator session cookies and authentication tokens if they are not protected by HttpOnly flags.
• Integrity Risk: The attacker can perform any admin-level actions by executing arbitrary JavaScript in the admin's browser.
• Availability Risk: There is a medium risk of forced logouts and manipulation of the application state.

Because the vulnerability is in an admin panel endpoint, successful exploitation can lead to full administrative control over the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending crafted POST requests to the /studentms/admin/contact-us.php endpoint with malicious JavaScript code in the email parameter and observing if the input is reflected unsafely in the response.

For example, you can use curl to test the vulnerability by sending a POST request with a script payload in the email field:

• curl -X POST -d "email=<script>alert('XSS')</script>" https://target-domain/studentms/admin/contact-us.php -v

If the response contains the injected script without proper encoding or sanitization, the vulnerability is present.

Additionally, monitoring network traffic for suspicious POST requests to this endpoint or using web vulnerability scanners that detect reflected XSS can help identify this issue.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Apply output encoding to the email parameter using htmlspecialchars($email, ENT_QUOTES, 'UTF-8') before echoing it in the HTML response.
• Enforce strict server-side validation of the email parameter against RFC-compliant regular expressions to reject invalid or malicious inputs.
• Implement a Content Security Policy (CSP) header to block inline script execution, for example: script-src 'self'.
• Harden admin session cookies by setting HttpOnly and SameSite flags to reduce the impact of potential XSS exploitation.
• Sanitize inputs by stripping or encoding all HTML special characters at ingestion.

Useful 0 Not Useful 0