Skip to content

Stored Cross-Site Scripting (XSS) in Notice Board (Notice Title & Body) — School Management System #30

New issue
New issue
Open
Open
Stored Cross-Site Scripting (XSS) in Notice Board (Notice Title & Body) — School Management System#30
@whoisrushi

Description

@whoisrushi
whoisrushi
opened on Nov 1, 2025

Summary

A persistent (stored) cross-site scripting (XSS) vulnerability exists in the Notice Board functionality. Unsanitized user input placed in the notice title and notice body fields is stored and later rendered without proper escaping, allowing attacker-controlled HTML/JavaScript to execute in the browser of any user who views the notice (including admins, teachers, students, owners).

Steps to Reproduce

  1. Log in as an admin (or any role permitted to create/edit notices).
  2. Navigate to Notice Board → Edit Notice or New Notice.
  3. In Notice Title and Notice Body, enter the payload:
    <img src=x onerror=alert('XSS')>
  4. Click Save (or Publish). A JavaScript alert popup appears (on save or when viewing).
  5. Visit the Notice Board listing or the notice detail page (or have another user view it). The alert popup appears again after refresh — confirming stored XSS.

Vendor of the product(s) info:
ProjectsAndPrograms

Affected product(s)/code base info:
Product: school-management-system
Version: Git commit 6b6fae5 (tested Nov 2025)

Impact:
An attacker can persist JavaScript that executes in the context of any user who views the page, which may lead to:
Cookie/session theft (if cookies are not flagged HttpOnly or other mitigations missing)
Account takeover (via CSRF+stored XSS or stolen session tokens)
Defacement of site content
Persistent browser-based attacks and targeted phishing via UI manipulation

Affected Project:
GitHub repo: /ProjectsAndPrograms/school-management-system

Affected File: noticeboard.php

Recommendation :
Escape output on render: use htmlspecialchars() (or equivalent) when printing untrusted data.
Validate and sanitize input server-side; consider whitelist validation for driver names (letters, spaces, limited punctuation).
Add Content-Security-Policy (CSP) to reduce impact of injected scripts.
Set cookies to HttpOnly; Secure; SameSite=Strict where appropriate.

POC: https://drive.google.com/file/d/1-ESqrRlgAVZUVIEcCTtAbwoeVOR-rtmE/view?usp=sharing

Discovered by:
Team DisclosureX

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions