Student File Management System
CVE-2025-14663
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/update_student.php. Executing manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
Cross-site scripting (XSS) in code-projects Student File Management System 1.0 allows high-privilege users to inject malicious scripts via the /admin/update_student.php endpoint, requiring user interaction to execute. The vulnerability has low real-world impact (CVSS 1.9, EPSS 0.06%) despite publicly available exploit code, as it demands high administrative privileges and user action; however, the low exploitation threshold (EPSS percentile 18%) indicates this is not a widespread threat.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in the PHP-based admin interface of Student File Management System. The vulnerable endpoint /admin/update_student.php does not properly sanitize or escape user-supplied input before rendering it in responses. XSS allows attackers to execute arbitrary JavaScript in the context of an authenticated administrator's browser session, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The attack vector is network-based but requires high administrative privileges (PR:H) and user interaction (UI:P), significantly limiting exploitation scope.
RemediationAI
No vendor-released patch has been identified at time of analysis. Primary mitigation requires upgrading to a patched version once available from the vendor; contact code-projects for patch availability. Until patching is feasible, implement compensating controls: restrict /admin/update_student.php access to trusted internal networks only using a Web Application Firewall (WAF) or network-level access controls-this eliminates the network attack vector entirely at the cost of reduced remote admin access. Additionally, enforce input validation and output encoding within the application by sanitizing all user inputs and HTML-escaping output in update_student.php; this requires code review and testing but is independent of vendor patches. Apply Content Security Policy (CSP) headers to limit inline script execution, which reduces XSS impact if the vulnerability is exploited. Conduct security awareness training for administrators to avoid clicking suspicious links on admin pages. Monitor admin session activity for anomalous behavior post-compromise.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today