Executive Summary

This vulnerability exists in the SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0, specifically in the Registration component's /index.php?action=register file. It involves the manipulation of input arguments such as student_id, full_name, section, and username, which leads to a cross-site scripting (XSS) vulnerability. This means an attacker can inject malicious scripts through these inputs.

The attack can be performed remotely, and the exploit code is publicly available.

Useful 0 Not Useful 0

Impact Analysis

This cross-site scripting vulnerability can allow attackers to execute malicious scripts in the context of the affected web application. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of the user without their consent.

Since the exploit is publicly available and the attack can be launched remotely, it increases the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a cross site scripting (XSS) issue in the registration component of the SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. While the CVE description does not explicitly mention compliance impacts, XSS vulnerabilities can potentially lead to unauthorized access or manipulation of user data.

Such vulnerabilities may affect compliance with standards like GDPR or HIPAA if exploited to compromise personal or sensitive information, as these regulations require protection of user data and prevention of unauthorized access.

However, no direct information about compliance impact is provided in the available data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to inject typical XSS payloads into the registration fields (student_id, full_name, section, username) of the CET Automated Grading System's registration page and observing if the payload is stored and executed when the admin accesses the dashboard.

A proof of concept payload such as `"><svg onload=alert(1)>` can be submitted via the registration form to test for stored XSS.

To detect this on your system, you can use tools like curl or wget to send crafted POST requests to the registration endpoint and then check the admin dashboard for execution of the payload.

• Example curl command to test injection: curl -X POST -d "student_id=123"><svg onload=alert(1)>" -d "full_name=test" -d "section=sec" -d "username=user" http://target/PersonalAGS/index.php?action=register
• Monitor the admin dashboard for unexpected script execution or alerts triggered by the injected payload.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs on the registration form to prevent injection of malicious scripts.

Implement proper output encoding on the admin dashboard to ensure that any stored data is rendered safely without executing scripts.

Restrict access to the admin dashboard to trusted users and consider adding additional authentication or multi-factor authentication to reduce risk.

If possible, apply any available patches or updates from the vendor addressing this vulnerability.

As a temporary measure, monitor logs for suspicious registration attempts and consider disabling the registration feature if not immediately needed.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-7401 is a Stored Cross-Site Scripting (XSS) vulnerability in the CET Automated Grading System version 1.0, specifically in the student self-registration portal.

An unauthenticated attacker can inject malicious JavaScript code into registration fields such as student_id, full_name, section, and username.

These malicious scripts are stored in the system's database and execute when an administrator views the student dashboard.

This allows the attacker to perform actions like stealing the admin's session cookie and potentially taking over the admin account.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and control over the administrative dashboard.

• An attacker can hijack admin sessions by stealing session cookies.
• The attacker can take over the admin account, gaining full control of the system.
• The attacker can deface the admin dashboard or redirect pages to malicious sites.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to inject typical cross-site scripting payloads into the registration fields (student_id, full_name, section, username) of the CET Automated Grading System's registration page.

For example, you can use curl or similar HTTP request tools to send payloads like `"><svg onload=alert(1)>` to the registration endpoint and observe if the payload is stored and later executed in the admin dashboard.

• curl -X POST "http://target/PersonalAGS/index.php?action=register" -d "student_id=123"><svg onload=alert(1)>" -d "full_name=Test" -d "section=1" -d "username=testuser"

Monitoring the admin dashboard for unexpected script execution or alerts after such injections can confirm the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs on the registration page to prevent injection of malicious scripts.

Implement proper output encoding on the admin dashboard where the stored data is displayed to ensure that any injected scripts are not executed.

Restrict access to the admin dashboard to trusted users and consider adding authentication and authorization controls if not already present.

If possible, apply any available patches or updates from the vendor to fix the vulnerability.

As a temporary measure, monitor logs and network traffic for suspicious activity related to the registration and admin dashboard.

Useful 0 Not Useful 0