CVE-2025-13244
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the Student Information System 2.0 registration page, which could execute in victims' browsers when they visit the compromised page. It affects all users of code-projects Student Information System 2.0 who have the vulnerable /register.php file accessible. The attack can be launched remotely without authentication.
💻 Affected Systems
- code-projects Student Information System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal user session cookies, redirect users to malicious sites, deface the application, or perform actions on behalf of authenticated users if combined with other vulnerabilities.
Likely Case
Attackers inject malicious scripts that steal session cookies or redirect users to phishing sites, potentially compromising user accounts and sensitive student information.
If Mitigated
With proper input validation and output encoding, the XSS payloads would be neutralized before reaching users' browsers, preventing successful exploitation.
🎯 Exploit Status
The exploit has been publicly disclosed on GitHub and requires minimal technical skill to implement. No authentication is required to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://code-projects.org/
Restart Required: No
Instructions:
1. Check code-projects.org for security updates. 2. If no patch is available, implement input validation and output encoding in /register.php. 3. Apply web application firewall rules to block XSS payloads.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to filter malicious payloads before they reach the application.
Input Validation Filter
allImplement server-side input validation to sanitize user inputs in /register.php.
Example PHP: $input = htmlspecialchars($_POST['field'], ENT_QUOTES, 'UTF-8');
🧯 If You Can't Patch
- Disable or restrict access to /register.php if not required for functionality.
- Implement Content Security Policy (CSP) headers to restrict script execution sources.
🔍 How to Verify
Check if Vulnerable:
Test /register.php with XSS payloads like <script>alert('XSS')</script> and check if the script executes in the browser.Check Version:
Check the application's version in its documentation, configuration files, or about page.Verify Fix Applied:
After applying fixes, retest with XSS payloads to ensure they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /register.php containing script tags or JavaScript code
- Multiple failed registration attempts with suspicious payloads
Network Indicators:
- HTTP requests to /register.php with encoded script tags in parameters
- Outbound connections to suspicious domains following registration attempts
SIEM Query:
source="web_logs" AND uri="/register.php" AND (message="*<script>*" OR message="*javascript:*")