Institute-of-Current-Students v10 反射型跨站脚本漏洞
漏洞信息
漏洞名称: Institute-of-Current-Students v1.0 反射型跨站脚本漏洞
漏洞编号:
- CVE: CVE-2025-51411
漏洞类型: 跨站可执行脚本
漏洞等级: 中危
漏洞描述: 受影响产品: Institute-of-Current-Students v1.0 是一个PHP项目,主要用于学生信息管理。该项目由独立开发者mathurvishal维护,典型部署于教育机构内部网络,用于管理当前学生的信息查询和发布。由于其开源性质,可能被广泛部署于缺乏专业IT支持的小型教育机构中。
漏洞解释: 该漏洞属于反射型跨站脚本(XSS)漏洞,存在于postquerypublic端点中。具体来说,服务器在处理email参数时未进行适当的输入清理和验证,导致攻击者可以构造恶意的email参数值,当该值被反射回用户的浏览器时,会执行其中包含的任意JavaScript代码。这种漏洞的根本原因在于开发过程中未能对用户输入进行严格的过滤和编码处理。
影响分析: 利用此漏洞,攻击者可以执行多种恶意操作,包括但不限于执行任意JavaScript代码、进行钓鱼攻击或冒充用户、窃取会话令牌或cookie信息、以及强制重定向用户到恶意网站或传播恶意软件。由于漏洞利用不需要用户认证,且可以通过简单的恶意链接或表单提交自动触发,因此具有较高的潜在风险。尽管漏洞的CVSS评分为6.1(中危),但在实际应用中,结合社会工程学攻击,其危害可能被放大。目前,官方尚未发布补丁,建议用户采取临时措施,如手动编码用户输入或实施内容安全策略(CSP)来缓解风险。
产品厂商: Independent (mathurvishal)
产品名称: Institute-of-Current-Students
影响版本: v1.0
来源: https://github.com/tansique-17/CVE-2025-51411
类型: CVE-2025:github search
仓库文件
- README.md
来源概述
🛡️ CVE Disclosure: CVE-2025-51411 — Reflected XSS in Institute-of-Current-Students
Disclosure Date: 25 July 2025
CVE ID: CVE-2025-51411
Severity: MEDIUM (CVSS 6.1)
🧩 Summary
A reflected Cross-Site Scripting (XSS) vulnerability exists in the Institute-of-Current-Students v1.0 project, specifically within the postquerypublic endpoint. Unsanitized input in the email parameter is directly reflected back into the response HTML, allowing attackers to execute arbitrary JavaScript in the browser of a user who visits a malicious link or submits a crafted request.
This issue has been assigned the identifier CVE-2025-51411. At the time of disclosure, no patch has been released by the vendor.
📦 Affected Product
- Vendor: Independent (mathurvishal)
- Project: Institute-of-Current-Students—PHP-Project
- Version: v1.0
- File:
postquerypublic - Vulnerable Endpoint:
http://localhost/Institute-of-Current-Students/postquerypublic
🔬 Vulnerability Details
The server fails to properly sanitize the email parameter from POST data before reflecting it into the response HTML. This allows attackers to inject JavaScript payloads, leading to client-side code execution.
Vulnerable Code Pattern (hypothetical):
1 | |
📌 CWE Classification
| CWE ID | Title |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
📊 CVSS v3.1 Score
| Score | Severity | Vector String |
|---|---|---|
| 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
💥 Impact
A successful exploitation could result in:
- 🧠 Execution of arbitrary JavaScript
- 🎭 Phishing or impersonation via HTML injection
- 🍪 Session hijacking or token theft
- 🚨 Forced redirection or malware delivery
🧪 Proof of Concept (PoC)
📥 Sample Request
1 | |
📋 Injected Payload
1 | |
This payload is executed if the server reflects the email value without sanitization.
🔐 Recommendations
- ✅ Use
htmlspecialchars()or equivalent to encode all untrusted output before rendering to HTML. - 🧰 Implement server-side input validation for all form inputs.
- 🧱 Set strong Content Security Policy (CSP) headers.
- 🚫 Avoid directly embedding unsanitized user inputs into HTML responses.
✅ Example Fix
1 | |
📆 Timeline
| Event | Date |
|---|---|
| Vulnerability Discovered | 18 July 2025 |
| Public Disclosure | 25 July 2025 |
| Patch Available | ❌ Not available as of disclosure |
🙋♂️ Credits
This vulnerability was discovered and disclosed by:
Tansique Dasari
🔗 GitHub
✉️ tansique.d@gmail.com
🔗 References
- OWASP - XSS
- CWE-79 - XSS Classification
- GitHub - Institute-of-Current-Students
- CVE-2025-51411 on CVE.org
💬 This advisory is published independently due to absence of an official vendor patch.