Exploit Details
Basic Information
| Exploit Title | code-projects Online Exam Mastering System 1.0 – Reflected Cross-Site Scripting (XSS) |
|---|---|
| Exploit ID | EDB-ID:52272 |
| Type | exploitdb |
| Published | 2025-04-22T00:00:00 |
| Modified | 2025-04-22T00:00:00 |
CVSS Information
| CVSS Score | 6.1 |
|---|---|
| Severity | MEDIUM |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CVE Information
- CVE-2025-28121
Exploit Description
Exploit Code
# Google Dork: inurl:/exam/feedback.php
# Date: 2025-04-19
# Exploit Author: Pruthu Raut
# Vendor Homepage: https://code-projects.org/
# Software Link: https://code-projects.org/online-exam-system-in-php-with-source-code/
# Version: 1.0
# Tested on: XAMPP on Windows 10 / Kali Linux (Apache + PHP 7.x)
# CVE : CVE-2025-28121
# Description:
# code-projects Online Exam Mastering System 1.0 is vulnerable to a Reflected XSS vulnerability in feedback.php via the “q” parameter.
# The application fails to sanitize user input properly, allowing attackers to inject arbitrary JavaScript code.
# Vulnerable URL:
# http://localhost/exam/feedback.php?q=Thank%20you%20for%20your%20valuable%20feedback
# PoC (Proof of Concept):
# Payload:
http://localhost/exam/feedback.php?q=
# Steps to Reproduce:
# 1. Host the application locally using XAMPP or a similar stack.
# 2. Open the vulnerable URL with the payload in a browser.
# 3. The JavaScript alert will be executed, demonstrating reflected XSS.
# Impact:
# – Account takeover via stolen cookies if a privileged user clicks the malicious link.
# – Full control of victimβs session context if exploited properly.
# – Can be chained with social engineering to target administrators.
# Mitigation:
# – Use `htmlspecialchars()` or a proper encoding mechanism to sanitize user input.
# – Implement Content Security Policy (CSP) headers.
# – Avoid reflecting unsanitized GET parameters into the HTML response.