Student File Management System
CVE-2025-14662
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php of the component Update User Page. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used.
AnalysisAI
Cross-site scripting vulnerability in code-projects Student File Management System 1.0 allows high-privilege authenticated users to inject malicious scripts via the Update User Page at /admin/update_user.php, requiring user interaction to trigger. The exploit is publicly available and rated CVSS 1.9 due to restrictive privilege and UI requirements, though EPSS score of 0.05% indicates minimal real-world exploitation risk.
Technical ContextAI
The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation, or Stored/Reflected XSS) in a PHP-based web application. The vulnerable endpoint /admin/update_user.php in the Update User Page component fails to properly sanitize or validate user input before rendering it in HTML context. The attack vector is network-accessible, suggesting the vulnerability can be triggered through HTTP requests, but exploitation requires high privilege level (PR:H) indicating admin or equivalent role, plus user interaction (UI:P) such as clicking a malicious link or visiting a crafted page. The low CVSS score (1.9) reflects these constraints, though the public availability of exploit code means defensive gaps are documented and attackable.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation should focus on access control and input validation: (1) Restrict access to /admin/update_user.php to a minimal trust boundary - use network segmentation or authentication proxy to limit admin interface exposure to internal networks or VPN-authenticated users only, trading off convenience for containment; (2) Implement input validation and output encoding at the application level - sanitize all user input using a whitelist of allowed characters and encode output using context-appropriate encoding (HTML entity encoding for HTML context, JavaScript encoding for JavaScript context) before rendering in /admin/update_user.php, which requires code modification if vendor does not provide a patch; (3) Apply Content Security Policy (CSP) headers to restrict inline script execution, reducing XSS impact even if injection succeeds, though this does not prevent cookie theft or credential theft via event handlers. Contact code-projects (https://code-projects.org/) to request a security patch for version 1.0.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today