Studentmanagementsystem
Monthly
SQL injection in yashpokharna2555 StudentManagementSystem's /studentdel.php endpoint allows remote unauthenticated attackers to manipulate the ID parameter within the confirm_logged_in function, enabling arbitrary SQL query execution against the backend database. All commits up to cb2f558ddf8d19396de0f92abf2d224d46a0a203 of this PHP-based academic application are affected, with no patched release available due to its rolling-release model and vendor non-response. A public exploit exists per GitHub issue #5, and SSVC flags the attack as automatable, though the EPSS score of 0.03% reflects limited real-world scanning activity likely attributable to the application's narrow deployment footprint.
Cross-site scripting in yashpokharna2555's StudentManagementSystem (PHP) allows authenticated remote attackers to inject malicious client-side scripts via the FIRST_NAME parameter in /student.php, executing in victim browsers upon record viewing. The CVSS 4.0 score of 2.0 (Low) reflects the requirement for prior authentication (PR:L) and user interaction (UI:P), significantly constraining real-world impact. Publicly available exploit code exists via a GitHub issue report; no vendor patch has been issued and the maintainer has not responded to the disclosure.
SQL injection in yashpokharna2555's StudentManagementSystem (commit cb2f558) exposes the confirm_logged_in function in student_trans.php to unauthenticated remote attackers who can manipulate FIRST_NAME, Last_Name, and EMAIL parameters to execute arbitrary SQL against the backend database. A public exploit has been disclosed via GitHub issue #3, confirming exploitability requires minimal skill; however, EPSS at 0.03% (9th percentile) indicates very low observed real-world exploitation activity, likely reflecting the narrow deployment footprint of this niche open-source PHP project rather than any technical barrier. No patch is available at time of analysis, as the maintainer has not responded to the coordinated disclosure.
SQL injection in the PHP-based yashpokharna2555/StudentManagementSystem exposes the /success.php endpoint to remote unauthenticated database attacks via the unsanitized 'User' argument. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position. A publicly available exploit exists via a GitHub issue report; the project maintainer has been notified but has not responded, and no patch has been released. Despite POC availability, EPSS sits at 0.03% (9th percentile), reflecting the niche, low-adoption nature of this project rather than a reduced technical severity.
Resource injection in yashpokharna2555's StudentManagementSystem allows low-privileged remote attackers to manipulate the ID parameter in courseDel.php to control which course records are deleted or affected, resulting in unauthorized data integrity and availability impact. The flaw affects the specific git commit cb2f558ddf8d19396de0f92abf2d224d46a0a203 and exploit code is publicly available via a GitHub issue. No patch has been released, and the project maintainer has not responded to the disclosure.
SQL injection in yashpokharna2555 StudentManagementSystem's /studentdel.php endpoint allows remote unauthenticated attackers to manipulate the ID parameter within the confirm_logged_in function, enabling arbitrary SQL query execution against the backend database. All commits up to cb2f558ddf8d19396de0f92abf2d224d46a0a203 of this PHP-based academic application are affected, with no patched release available due to its rolling-release model and vendor non-response. A public exploit exists per GitHub issue #5, and SSVC flags the attack as automatable, though the EPSS score of 0.03% reflects limited real-world scanning activity likely attributable to the application's narrow deployment footprint.
Cross-site scripting in yashpokharna2555's StudentManagementSystem (PHP) allows authenticated remote attackers to inject malicious client-side scripts via the FIRST_NAME parameter in /student.php, executing in victim browsers upon record viewing. The CVSS 4.0 score of 2.0 (Low) reflects the requirement for prior authentication (PR:L) and user interaction (UI:P), significantly constraining real-world impact. Publicly available exploit code exists via a GitHub issue report; no vendor patch has been issued and the maintainer has not responded to the disclosure.
SQL injection in yashpokharna2555's StudentManagementSystem (commit cb2f558) exposes the confirm_logged_in function in student_trans.php to unauthenticated remote attackers who can manipulate FIRST_NAME, Last_Name, and EMAIL parameters to execute arbitrary SQL against the backend database. A public exploit has been disclosed via GitHub issue #3, confirming exploitability requires minimal skill; however, EPSS at 0.03% (9th percentile) indicates very low observed real-world exploitation activity, likely reflecting the narrow deployment footprint of this niche open-source PHP project rather than any technical barrier. No patch is available at time of analysis, as the maintainer has not responded to the coordinated disclosure.
SQL injection in the PHP-based yashpokharna2555/StudentManagementSystem exposes the /success.php endpoint to remote unauthenticated database attacks via the unsanitized 'User' argument. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position. A publicly available exploit exists via a GitHub issue report; the project maintainer has been notified but has not responded, and no patch has been released. Despite POC availability, EPSS sits at 0.03% (9th percentile), reflecting the niche, low-adoption nature of this project rather than a reduced technical severity.
Resource injection in yashpokharna2555's StudentManagementSystem allows low-privileged remote attackers to manipulate the ID parameter in courseDel.php to control which course records are deleted or affected, resulting in unauthorized data integrity and availability impact. The flaw affects the specific git commit cb2f558ddf8d19396de0f92abf2d224d46a0a203 and exploit code is publicly available via a GitHub issue. No patch has been released, and the project maintainer has not responded to the disclosure.