Student Grades Management System
Monthly
Cross-site request forgery in SourceCodester Student Grades Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - such as modifying student grade records - by tricking authenticated users into visiting a malicious page. The CVSS 4.0 score of 2.1 reflects constrained impact: integrity loss is low (VI:L), and there is no confidentiality or availability consequence. A publicly available proof-of-concept exploit exists on GitHub (corroborated by E:P in the CVSS vector), though EPSS at 0.02% (4th percentile) signals negligible observed exploitation activity and no public exploit identified at time of analysis has matured into confirmed active exploitation.
Cross-site scripting in SourceCodester Student Grades Management System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the unvalidated 'Remarks' parameter in students.php, executing arbitrary scripts in the context of a victim's browser session upon passive viewing. A public proof-of-concept exists on GitHub; however, this CVE is not listed in the CISA KEV catalog and the EPSS score of 0.03% (9th percentile) reflects very low real-world exploitation probability. SSVC assessment corroborates this with 'Exploitation: none' and 'Automatable: no,' consistent with the required user-interaction constraint.
Improper authorization in SourceCodester Student Grades Management System 1.0 allows authenticated remote attackers to manipulate the classroom_id parameter within classroom.php to access or modify classroom enrollment data beyond their authorized scope. The vulnerability affects the getClassroomStudents and removeStudentFromClassroom functions, enabling unauthorized listing of enrolled students or removal of students from classrooms the attacker does not administer. A publicly available proof-of-concept exploit exists on GitHub, though EPSS places exploitation probability at just 0.04% (13th percentile), and the vulnerability is not currently listed in the CISA KEV catalog.
Improper authorization in SourceCodester Student Grades Management System 1.0 permits authenticated remote attackers to access or manipulate grade records belonging to other students by tampering with the student_id parameter in grades.php. The flaw (CWE-285) reflects a failure to enforce object-level authorization, allowing a low-privileged user to cross access boundaries to other students' data. A publicly available proof-of-concept exists on GitHub, though EPSS sits at 0.04% (11th percentile) and SSVC classifies exploitation as none, indicating no evidence of active exploitation in the wild despite the POC.
Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field.
A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting (XSS) vulnerability in SourceCodester Student Grades Management System 1.0 allows authenticated administrators with high privileges to inject malicious scripts via the delete_user function in /admin.php, which execute in the context of other users' browsers when they interact with affected content. The vulnerability requires user interaction and administrative privileges to exploit, resulting in low integrity impact with a CVSS score of 1.9. Publicly available exploit code exists, though the very low EPSS score (0.05%, 14th percentile) suggests limited real-world exploitation despite POC availability.
Stored cross-site scripting (XSS) in SourceCodester Student Grades Management System 1.0 allows authenticated administrators with high privileges to inject malicious scripts via the first_name or last_name parameters in the Manage Users Page (/admin.php), which are then executed when viewed by other users. The vulnerability requires administrator authentication and user interaction (page view), limiting real-world impact despite public exploit availability. EPSS exploitation probability is extremely low (0.03%, 9th percentile), reflecting the restrictive access controls (PR:H) and user interaction requirement (UI:P) despite network-accessible delivery.
Cross-site request forgery in SourceCodester Student Grades Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - such as modifying student grade records - by tricking authenticated users into visiting a malicious page. The CVSS 4.0 score of 2.1 reflects constrained impact: integrity loss is low (VI:L), and there is no confidentiality or availability consequence. A publicly available proof-of-concept exploit exists on GitHub (corroborated by E:P in the CVSS vector), though EPSS at 0.02% (4th percentile) signals negligible observed exploitation activity and no public exploit identified at time of analysis has matured into confirmed active exploitation.
Cross-site scripting in SourceCodester Student Grades Management System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the unvalidated 'Remarks' parameter in students.php, executing arbitrary scripts in the context of a victim's browser session upon passive viewing. A public proof-of-concept exists on GitHub; however, this CVE is not listed in the CISA KEV catalog and the EPSS score of 0.03% (9th percentile) reflects very low real-world exploitation probability. SSVC assessment corroborates this with 'Exploitation: none' and 'Automatable: no,' consistent with the required user-interaction constraint.
Improper authorization in SourceCodester Student Grades Management System 1.0 allows authenticated remote attackers to manipulate the classroom_id parameter within classroom.php to access or modify classroom enrollment data beyond their authorized scope. The vulnerability affects the getClassroomStudents and removeStudentFromClassroom functions, enabling unauthorized listing of enrolled students or removal of students from classrooms the attacker does not administer. A publicly available proof-of-concept exploit exists on GitHub, though EPSS places exploitation probability at just 0.04% (13th percentile), and the vulnerability is not currently listed in the CISA KEV catalog.
Improper authorization in SourceCodester Student Grades Management System 1.0 permits authenticated remote attackers to access or manipulate grade records belonging to other students by tampering with the student_id parameter in grades.php. The flaw (CWE-285) reflects a failure to enforce object-level authorization, allowing a low-privileged user to cross access boundaries to other students' data. A publicly available proof-of-concept exists on GitHub, though EPSS sits at 0.04% (11th percentile) and SSVC classifies exploitation as none, indicating no evidence of active exploitation in the wild despite the POC.
Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field.
A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting (XSS) vulnerability in SourceCodester Student Grades Management System 1.0 allows authenticated administrators with high privileges to inject malicious scripts via the delete_user function in /admin.php, which execute in the context of other users' browsers when they interact with affected content. The vulnerability requires user interaction and administrative privileges to exploit, resulting in low integrity impact with a CVSS score of 1.9. Publicly available exploit code exists, though the very low EPSS score (0.05%, 14th percentile) suggests limited real-world exploitation despite POC availability.
Stored cross-site scripting (XSS) in SourceCodester Student Grades Management System 1.0 allows authenticated administrators with high privileges to inject malicious scripts via the first_name or last_name parameters in the Manage Users Page (/admin.php), which are then executed when viewed by other users. The vulnerability requires administrator authentication and user interaction (page view), limiting real-world impact despite public exploit availability. EPSS exploitation probability is extremely low (0.03%, 9th percentile), reflecting the restrictive access controls (PR:H) and user interaction requirement (UI:P) despite network-accessible delivery.