CVE-2025-13795
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in the CodingWithElias School Management System that allows attackers to inject malicious scripts via the First Name parameter on the student edit page. Remote attackers can exploit this to steal session cookies, redirect users, or perform actions on their behalf. All users of affected versions are vulnerable.
💻 Affected Systems
- CodingWithElias School Management System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system access, modify student records, or install backdoors.
Likely Case
Attackers steal user session cookies to impersonate students or staff, potentially accessing sensitive student information.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts.
🎯 Exploit Status
Exploit details are publicly available on GitHub. Attack requires user interaction (viewing malicious content) but doesn't require authentication to the vulnerable page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Vendor was contacted but did not respond. Consider implementing workarounds or migrating to alternative software.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize First Name and other parameters
Modify /student-view.php to add: $first_name = htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8');
Web Application Firewall (WAF)
allDeploy WAF rules to block XSS payloads in First Name parameter
Add WAF rule: SecRule ARGS:first_name "@rx <script>" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Disable or restrict access to /student-view.php functionality
- Implement Content Security Policy (CSP) headers to prevent script execution
🔍 How to Verify
Check if Vulnerable:
Test by entering <script>alert('XSS')</script> in First Name field on student edit page and check if script executesCheck Version:
Check git commit hash: git log --oneline -1Verify Fix Applied:
Test with same payload - script should be displayed as text, not executed📡 Detection & Monitoring
Log Indicators:
- Unusual script tags in First Name parameter logs
- Multiple failed XSS attempts
Network Indicators:
- HTTP requests with script tags in POST parameters
- Unusual traffic to /student-view.php
SIEM Query:
source="web_logs" AND uri_path="/student-view.php" AND (param="first_name" AND value MATCHES "<script>")