CVE-2025-64070 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-64070?

CVE-2025-64070 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows attackers to inject malicious scripts into the Add New Subject Description field of Sourcecodester Student Grades Management System v1.0. When executed, these scripts can steal user sessions, redirect users to malicious sites, or deface the application. Anyone using the vulnerable version of this software is affected.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the Add New Subject Description field of Sourcecodester Student Grades Management System v1.0. When executed, these scripts can steal user sessions, redirect users to malicious sites, or deface the application. Anyone using the vulnerable version of this software is affected.

💻 Affected Systems

Products:

Sourcecodester Student Grades Management System

Versions: v1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Student Grades Management System by Remyandrade

View all CVEs affecting Student Grades Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take full control of the system, manipulate student grades, or install backdoors for persistent access.

🟠

Likely Case

Attackers would steal user session cookies to impersonate legitimate users, potentially accessing sensitive student data or performing unauthorized grade modifications.

🟢

If Mitigated

With proper input validation and output encoding, the attack would be prevented, though the vulnerable code path remains present.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the Add New Subject functionality. The GitHub reference shows proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement input validation and output encoding in the affected PHP files.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation and HTML encoding for the Add New Subject Description field

Edit the affected PHP file to add htmlspecialchars() or similar encoding around user input

WAF Rule Implementation

all

Deploy web application firewall rules to block XSS payloads

Add WAF rules to detect and block script tags and JavaScript in POST parameters

🧯 If You Can't Patch

Restrict access to the application to trusted users only using network segmentation
Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Test by entering <script>alert('XSS')</script> in the Add New Subject Description field and check if it executes

Check Version:

Check the application's version in the admin panel or configuration files

Verify Fix Applied:

After implementing fixes, test with the same payload to ensure it's properly encoded and doesn't execute

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests containing script tags or JavaScript in subject description parameters
Multiple failed login attempts followed by successful access to subject management

Network Indicators:

HTTP requests with encoded script payloads in POST data
Outbound connections to suspicious domains after subject creation

SIEM Query:

source="web_logs" AND (method="POST" AND uri="/add_subject" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-64070

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (13.8th percentile)

Published: December 2, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/vabnamoni/CVE-Researches/blob/main/CVE-2025-64070 Exploit,Mitigation,Third Party Advisory
https://www.linkedin.com/in/vabna-lina-24ab17186/ Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64070, you might also want to check these: