Simple Scheduling System
Monthly
Stored Cross-Site Scripting in code-projects Simple Scheduling System 1.0 allows an attacker to inject arbitrary JavaScript via the Subject Description field, which executes in victims' browsers when they view the affected page. The scope change in the CVSS vector (S:C) confirms the script runs in a different security context than where the payload is injected, enabling session hijacking, credential theft, or malicious redirects against users of the application. A publicly available proof-of-concept exploit exists, though exploitation probability remains low (EPSS 0.22%) and no confirmed active exploitation is recorded.
Stored Cross-Site Scripting in code-projects Simple Scheduling System 1.0 allows an attacker to inject arbitrary JavaScript via the Subject Description field, which executes in victims' browsers when they view the affected page. The scope change in the CVSS vector (S:C) confirms the script runs in a different security context than where the payload is injected, enabling session hijacking, credential theft, or malicious redirects against users of the application. A publicly available proof-of-concept exploit exists, though exploitation probability remains low (EPSS 0.22%) and no confirmed active exploitation is recorded.