Codeigniter Studentmanagementsystem
Monthly
Stored cross-site scripting in hemant6488's CodeIgniter-StudentManagementSystem allows remote unauthenticated attackers to inject arbitrary JavaScript via the Name argument of the addStudent function in view_students.php. When a victim user views the student listing, the injected script executes in their browser context, enabling session hijacking, credential theft, or defacement. A publicly available proof-of-concept exists via GitHub issue report; however, this vulnerability is not listed in CISA KEV, and EPSS scoring places exploitation probability at 0.03%, indicating low real-world exploitation activity despite POC availability.
Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.
Stored cross-site scripting in hemant6488's CodeIgniter-StudentManagementSystem allows remote unauthenticated attackers to inject arbitrary JavaScript via the Name argument of the addStudent function in view_students.php. When a victim user views the student listing, the injected script executes in their browser context, enabling session hijacking, credential theft, or defacement. A publicly available proof-of-concept exists via GitHub issue report; however, this vulnerability is not listed in CISA KEV, and EPSS scoring places exploitation probability at 0.03%, indicating low real-world exploitation activity despite POC availability.
Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.