Student Information System
CVE-2025-15052
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
AnalysisAI
Cross-site scripting (XSS) via unsanitized firstname and lastname parameters in /profile.php of code-projects Student Information System 1.0 allows authenticated remote attackers with user interaction to inject malicious scripts affecting confidentiality. The vulnerability carries a low CVSS score (2.0) due to authentication and user interaction requirements, but publicly available exploit code exists and EPSS analysis assigns 0.06% exploitation probability, reflecting limited real-world attack likelihood despite public POC availability.
Technical ContextAI
The vulnerability is a reflected or stored XSS flaw in a PHP-based web application (CWE-79: Improper Neutralization of Input During Web Page Generation). The /profile.php endpoint accepts firstname and lastname parameters without proper input validation or output encoding. When user-supplied input is rendered in HTML context without sanitization, attackers can inject JavaScript payloads that execute in the victim's browser. The CPE identifier (cpe:2.3:a:fabian:student_information_system:1.0) confirms the affected product is the Fabian-developed Student Information System version 1.0, a web-based educational management platform written in PHP.
RemediationAI
No vendor-released patch identified at time of analysis. Primary mitigation is to upgrade to a patched version if available from the vendor; check https://code-projects.org/ for updates beyond version 1.0. If patching is not immediately possible, implement compensating controls: (1) Apply input validation to firstname and lastname parameters using a whitelist approach (alphanumeric and safe characters only); (2) Encode all user-supplied input with HTML entity encoding (e.g., htmlspecialchars() in PHP with ENT_QUOTES flag) before rendering in HTML context; (3) Implement Content Security Policy (CSP) headers (e.g., 'Content-Security-Policy: default-src self; script-src self') to restrict inline script execution; (4) Restrict profile editing functionality to administrators or validated trusted users only; (5) Apply web application firewall (WAF) rules to block common XSS payloads in firstname/lastname parameters. Trade-offs: whitelist validation may inconvenience users with non-ASCII names; CSP may break legitimate inline scripts; restricting profile editing reduces user autonomy.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today