StudentManage
CVE-2025-50584
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Admin credentials required to access teacher management module (PR:H); victim must load poisoned page (UI:R); scope change reflects cross-user browser execution context; no availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Teacher module.
AnalysisAI
Stored cross-site scripting in DayCloud's StudentManage v1.0 allows authenticated administrators to inject malicious JavaScript via the Add A New Teacher module, which executes in victims' browsers when they load the affected page. The CVSS vector (PR:H, UI:R, S:C) confirms exploitation is gated behind high privileges and requires victim interaction, but the scope change flag reflects cross-user browser impact. A public proof-of-concept is available on GitHub; however, EPSS at 0.22% (13th percentile) and no CISA KEV listing indicate no confirmed widespread exploitation at time of analysis.
Technical ContextAI
StudentManage v1.0 (CPE: cpe:2.3:a:daycloud:studentmanage:1.0) is a web-based student management application by DayCloud, with its source repository hosted on Gitee. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting): user-supplied input submitted through the Add A New Teacher form is insufficiently sanitized or encoded before being rendered back to other users' browsers. This is characteristic of stored XSS, where a payload is persisted server-side and executes whenever the poisoned record is viewed. The CVSS S:C (scope changed) metric reflects that the injected script operates in the victim's browser security context - a different principal than the server - consistent with how stored XSS crosses trust boundaries without requiring server-side code execution.
RemediationAI
No vendor-released patch has been identified at time of analysis - the vulnerability was disclosed via a GitHub PoC report (https://github.com/SimonKang949/Vulnerabilities/issues/3) with no corresponding vendor advisory or confirmed fixed version. As compensating controls, administrators should implement a strict Content Security Policy (CSP) header to block inline script execution, which directly mitigates XSS payload execution at the browser level with minimal application functionality impact. All input fields in the Add A New Teacher module should be subjected to server-side output encoding (HTML entity encoding) before rendering. Access to the teacher management module should be restricted to the minimum necessary administrative accounts. If the application is internet-facing, consider temporarily disabling the Add A New Teacher feature until a fix is confirmed - note this will interrupt teacher onboarding workflows. Monitoring application logs for unexpected HTML or script characters in teacher record fields may help detect exploitation attempts.
More in Studentmanage
View allSQL injection in DayCloud StudentManage v1.0 lets an authenticated attacker inject arbitrary SQL through the /admin/admi
Cross-site request forgery in StudentManage v1.0 (DayCloud) allows a remote attacker to perform unauthorized state-chang
Stored XSS in DayCloud's StudentManage v1.0 allows an authenticated administrative user to inject malicious JavaScript v
Stored cross-site scripting in DayCloud StudentManage v1.0 allows an authenticated administrator to inject malicious Jav
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today