CVE-2025-29429
📋 TL;DR
This CVE describes a Cross-Site Scripting (XSS) vulnerability in Code-projects Online Class and Exam Scheduling System V1.0 that allows attackers to inject malicious scripts via the id, code, and name parameters in /pages/program.php. This affects all users of this specific software version who access the vulnerable page. Attackers could steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- Code-projects Online Class and Exam Scheduling System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system control, modify exam schedules, access student data, and potentially pivot to other systems.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, modify personal schedules, or access unauthorized information.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any impact.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited with readily available tools; the GitHub reference provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Implement input validation and output encoding in /pages/program.php for id, code, and name parameters.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd server-side validation to filter or reject malicious input in the vulnerable parameters.
Edit /pages/program.php to implement input sanitization functions (e.g., htmlspecialchars in PHP) for id, code, and name parameters.
Web Application Firewall (WAF) Rules
allConfigure WAF to block XSS payloads targeting the vulnerable parameters.
Add WAF rules to detect and block patterns like <script>, javascript:, and other common XSS vectors in id, code, and name parameters.
🧯 If You Can't Patch
- Disable or restrict access to /pages/program.php if not essential.
- Implement Content Security Policy (CSP) headers to mitigate script execution.
🔍 How to Verify
Check if Vulnerable:
Test by injecting a simple XSS payload (e.g., <script>alert('XSS')</script>) into the id, code, or name parameters of /pages/program.php and check if it executes.Check Version:
Check the software version in the system's admin panel or configuration files; look for 'V1.0' in documentation or code comments.Verify Fix Applied:
After applying fixes, repeat the XSS test; the payload should be displayed as plain text or blocked, not executed.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /pages/program.php with script tags or encoded payloads in parameters.
- Multiple failed login attempts or session hijacking events following suspicious requests.
Network Indicators:
- HTTP requests containing <script>, javascript:, or other XSS patterns in query strings.
SIEM Query:
source="web_logs" AND url="/pages/program.php" AND (param="id" OR param="code" OR param="name") AND (content="<script>" OR content="javascript:")