Cybersecurity Vulnerabilities

CVE-2025-64070: XSS Threat Found in Sourcecodester Student Grades Management System

December 2, 2025 - By 

Overview

CVE-2025-64070 describes a Cross-Site Scripting (XSS) vulnerability discovered in Sourcecodester Student Grades Management System version 1.0. This vulnerability allows an attacker to inject malicious scripts into the “Add New Subject Description” field, potentially compromising user accounts and data.

Technical Details

The vulnerability resides in the lack of proper input sanitization within the “Add New Subject Description” functionality. An attacker can input malicious JavaScript code into this field. When a user views the subject description, the injected script will execute within their browser. This can lead to:

  • Account hijacking: Stealing user cookies or session tokens.
  • Data theft: Accessing and exfiltrating sensitive information.
  • Defacement: Altering the appearance of the web page.
  • Redirection: Redirecting users to malicious websites.

CVSS Analysis

Currently, a CVSS score is not available (N/A) for this vulnerability. However, based on the potential impact of XSS, it is likely to be classified as a Medium to High severity vulnerability upon assessment. A thorough CVSS analysis should consider the attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.

Possible Impact

The impact of CVE-2025-64070 could be significant, particularly in environments where the Student Grades Management System is used to store sensitive student data. A successful XSS attack could lead to:

  • Compromised student records (grades, personal information).
  • Unauthorized access to the system.
  • Reputation damage for the institution using the software.
  • Phishing attacks targeting system users.

Mitigation or Patch Steps

To mitigate this vulnerability, the following steps should be taken:

  1. Input Sanitization: Implement strict input validation and sanitization on the “Add New Subject Description” field. All user-supplied input should be encoded before being displayed to prevent the execution of malicious scripts. HTML entity encoding is recommended.
  2. Output Encoding: Ensure that all data retrieved from the database and displayed to users is properly encoded to prevent XSS.
  3. Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to detect and block XSS attacks.
  4. Update the System: Apply any patches or updates released by Sourcecodester to address this vulnerability. Contact the vendor for available updates if none are publicly available.
  5. Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in the application.

References

GitHub: CVE-2025-64070 Research
LinkedIn: Vabna Lina Profile

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *