Skip to main content

StudentManage CVE-2025-50584

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-07-18 cve@mitre.org
4.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

Admin credentials required to access teacher management module (PR:H); victim must load poisoned page (UI:R); scope change reflects cross-user browser execution context; no availability impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:19 vuln.today

DescriptionCVE.org

StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Teacher module.

AnalysisAI

Stored cross-site scripting in DayCloud's StudentManage v1.0 allows authenticated administrators to inject malicious JavaScript via the Add A New Teacher module, which executes in victims' browsers when they load the affected page. The CVSS vector (PR:H, UI:R, S:C) confirms exploitation is gated behind high privileges and requires victim interaction, but the scope change flag reflects cross-user browser impact. A public proof-of-concept is available on GitHub; however, EPSS at 0.22% (13th percentile) and no CISA KEV listing indicate no confirmed widespread exploitation at time of analysis.

Technical ContextAI

StudentManage v1.0 (CPE: cpe:2.3:a:daycloud:studentmanage:1.0) is a web-based student management application by DayCloud, with its source repository hosted on Gitee. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting): user-supplied input submitted through the Add A New Teacher form is insufficiently sanitized or encoded before being rendered back to other users' browsers. This is characteristic of stored XSS, where a payload is persisted server-side and executes whenever the poisoned record is viewed. The CVSS S:C (scope changed) metric reflects that the injected script operates in the victim's browser security context - a different principal than the server - consistent with how stored XSS crosses trust boundaries without requiring server-side code execution.

RemediationAI

No vendor-released patch has been identified at time of analysis - the vulnerability was disclosed via a GitHub PoC report (https://github.com/SimonKang949/Vulnerabilities/issues/3) with no corresponding vendor advisory or confirmed fixed version. As compensating controls, administrators should implement a strict Content Security Policy (CSP) header to block inline script execution, which directly mitigates XSS payload execution at the browser level with minimal application functionality impact. All input fields in the Add A New Teacher module should be subjected to server-side output encoding (HTML entity encoding) before rendering. Access to the teacher management module should be restricted to the minimum necessary administrative accounts. If the application is internet-facing, consider temporarily disabling the Add A New Teacher feature until a fix is confirmed - note this will interrupt teacher onboarding workflows. Monitoring application logs for unexpected HTML or script characters in teacher record fields may help detect exploitation attempts.

Share

CVE-2025-50584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy