CVE-2025-50869

Vulnerability

Description

The Institute-of-Current-Students 1.0 application suffers from a stored cross-site scripting (XSS) vulnerability located in the qureydetails.php page. This persistent XSS flaw arises because the input fields for 'Query' and 'Answer' fail to sanitize user-supplied data before storing and later reflecting it in HTTP responses [1][2]. Stored XSS occurs when an application receives data from an untrusted source and later includes that data in its responses without proper encoding or validation [1].

Attack

Mechanism

An authenticated user with faculty-level privileges can exploit this vulnerability through the 'Edit' functionality on the qureydetails.php page [2]. The attacker injects malicious JavaScript code into the Query or Answer field. When any other user (including administrators or students) views the affected page, the injected script executes in the context of the victim's browser session [1][2]. No special network position is required beyond access to the normal web interface.

Impact

Successful exploitation allows the attacker to perform arbitrary actions on behalf of the victim within the application, such as stealing session cookies, capturing keystrokes, defacing pages, or redirecting users to malicious sites [1]. Because the payload is stored persistently, every victim who visits the affected page will be compromised, making stored XSS more damaging than reflected variants [1].

Mitigation

Status

No official patch or vendor advisory has been released for this vulnerability as of the publication date. Administrators should apply input validation and output encoding to all user-supplied data within qureydetails.php, particularly for the Query and Answer fields, in accordance with CWE-79 guidelines [2].