Overview
CVE-2025-13795 describes a Cross-Site Scripting (XSS) vulnerability found in the codingWithElias School Management System, specifically in versions up to commit f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. This vulnerability allows a remote attacker to inject malicious scripts into the “First Name” field on the Edit Student Info page, potentially compromising user accounts and data. The vendor was contacted but did not respond.
Technical Details
The vulnerability resides within the /student-view.php file of the codingWithElias School Management System. Specifically, the “First Name” argument on the Edit Student Info page is not properly sanitized. This lack of input validation allows an attacker to inject malicious JavaScript code. When a user views the page containing the injected script, the script will execute in their browser, potentially leading to session hijacking, cookie theft, or other malicious activities. The public exploit is readily available, increasing the risk of exploitation.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13795 a score of 2.4, indicating a LOW severity. This score reflects the following characteristics:
- Attack Vector: Network (AV:N)
- Attack Complexity: High (AC:H) – While the exploit is publicly available, successful exploitation may require some user interaction or specific system configuration.
- Privileges Required: None (PR:N)
- User Interaction: Required (UI:R) – A user needs to interact with the malicious content for the exploit to be successful.
- Scope: Changed (S:C) – An exploited vulnerability can affect resources beyond the attacker’s control.
- Confidentiality Impact: Low (C:L)
- Integrity Impact: Low (I:L)
- Availability Impact: None (A:N)
While the score is low, the potential impact of XSS vulnerabilities should not be underestimated, particularly in systems handling sensitive student data.
Possible Impact
Successful exploitation of this XSS vulnerability could lead to several negative consequences:
- Account Compromise: An attacker could steal a user’s session cookies and hijack their account.
- Data Theft: Sensitive student information could be accessed and stolen.
- Website Defacement: The attacker could inject malicious code to alter the appearance or functionality of the website.
- Malware Distribution: The attacker could use the injected script to redirect users to malicious websites or distribute malware.
Mitigation or Patch Steps
Given the vendor’s lack of response and the rolling release nature of the product, direct patching may not be immediately available. Consider the following mitigation steps:
- Input Sanitization: Implement robust input validation and sanitization for all user-supplied data, especially in the
/student-view.phpfile. Escaping special characters is crucial. - Web Application Firewall (WAF): Deploy a WAF to filter out malicious requests and protect against XSS attacks. Configure the WAF with rules to detect and block common XSS patterns.
- Content Security Policy (CSP): Implement a strong CSP to restrict the sources from which the browser can load resources, mitigating the risk of injected scripts executing.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
- Disable Unnecessary Features: Consider disabling features that are not essential to reduce the attack surface.
