CVE-2025-65134

Vulnerability

Description

In manikandan580 School-management-system 1.0, the /studentms/admin/contact-us.php endpoint reflects the email POST parameter into the HTML response without any sanitization or output encoding. The root cause is that the application fails to use functions such as htmlspecialchars() before including user-supplied data in the page body. This allows an attacker to inject arbitrary JavaScript or HTML that is executed in the context of the admin application [1].

Exploitation

Conditions

Exploitation does not require authentication on the part of the attacker; the payload is submitted via a POST request. However, to achieve impact, the crafted input must be processed by an administrator who submits the contact form or views the subsequent response. The reflected nature of the XSS means the payload is not stored but is returned immediately in the server's response, requiring some form of social engineering or a crafted link that triggers the admin to send the request [1].

Impact

Because the vulnerable endpoint is within the admin panel, a successful reflected XSS attack can lead to high severity consequences. An attacker could steal administrator session cookies (if not protected with the HttpOnly flag), perform arbitrary administrative actions such as modifying student records or system settings, or force logout the victim. In essence, the attacker gains full control over the administrative interface for the duration of the victim's session [1].

Mitigation

Status

At the time of publication, the vendor (manikandan580) has not publicly released a fixed version. As a workaround, administrators should ensure output encoding (e.g., htmlspecialchars()) is applied to the email parameter before reflection. Additionally, setting the HttpOnly and SameSite flags on session cookies can limit the impact of cookie theft. The CVE has not been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].