Description
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Teacher Management module of the School Management System PHP.
User-controlled fields (username, fname, lname) are stored in the database without sanitization and rendered without output encoding in multiple pages (including the teacher list and teacher view).
An authenticated administrator can inject malicious JavaScript that executes when other users (including other admins) view the teacher list or profile.
Vulnerable Component
File: Admin/teacher-view.php (and likely teacher.php / list view)
Affected parameters:
- username
- fname (First Name)
- lname (Last Name)
Vulnerable code example:
<h5 class="card-title text-center">@<?=$teacher['username']?></h5>
<li class="list-group-item">First name: <?=$teacher['fname']?></li>
<li class="list-group-item">Last name: <?=$teacher['lname']?></li>
Proof of Concept (PoC)
- Log in as administrator.
- Go to Teachers → Edit an existing teacher (or create new).
- Inject the payload in the Last Name field:
<script>alert(document.cookie)</script>
- Save the changes.
- Go back to the Teachers list page (teacher.php).
Result: The JavaScript executes immediately, stealing the victim's PHPSESSID (session cookie).
Impact
- Session hijacking / Account takeover (full admin access)
- Execution of arbitrary JavaScript in authenticated user context
- Potential data theft and unauthorized actions
Vulnerability Type
Stored Cross-Site Scripting (CWE-79)
Suggested Fix
Use proper output escaping everywhere user data is displayed:
PHP<?= htmlspecialchars($teacher['lname'], ENT_QUOTES, 'UTF-8') ?>
Do this for all fields (username, fname, lname, etc.) in all teacher-related views.
Affected Repository
Repository: https://github.com/codingWithElias/school-management-system-php
Affected file: Admin/teacher-view.php + teacher listing pages
Affected version: Up to commit f1ac334
Description
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Teacher Management module of the School Management System PHP.
User-controlled fields (username, fname, lname) are stored in the database without sanitization and rendered without output encoding in multiple pages (including the teacher list and teacher view).
An authenticated administrator can inject malicious JavaScript that executes when other users (including other admins) view the teacher list or profile.
Vulnerable Component
File: Admin/teacher-view.php (and likely teacher.php / list view)
Affected parameters:
Vulnerable code example:
Proof of Concept (PoC)
<script>alert(document.cookie)</script>Result: The JavaScript executes immediately, stealing the victim's PHPSESSID (session cookie).
Impact
Vulnerability Type
Stored Cross-Site Scripting (CWE-79)
Suggested Fix
Use proper output escaping everywhere user data is displayed:
PHP<?= htmlspecialchars($teacher['lname'], ENT_QUOTES, 'UTF-8') ?>Do this for all fields (username, fname, lname, etc.) in all teacher-related views.
Affected Repository
Repository: https://github.com/codingWithElias/school-management-system-php
Affected file: Admin/teacher-view.php + teacher listing pages
Affected version: Up to commit f1ac334