CVE-2026-10301
Description
A reflected cross-site scripting vulnerability in itsourcecode Fees Management System 1.0 allows remote attackers to inject arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected cross-site scripting vulnerability in itsourcecode Fees Management System 1.0 allows remote attackers to inject arbitrary JavaScript.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the itsourcecode Fees Management System version 1.0. The vulnerability is located in the index.php file, specifically within the page URL parameter. User-supplied input is directly reflected in the page output without proper sanitization, making it susceptible to injection attacks [2].
Exploitation
An attacker can exploit this vulnerability remotely by tricking a user into visiting a specially crafted URL. No authentication is required. The attacker crafts a URL that includes malicious JavaScript code within the page parameter. When a victim clicks this URL, the injected script executes in their browser within the context of the application [2].
Impact
Successful exploitation of this vulnerability can lead to session hijacking, unauthorized actions performed on behalf of the victim, data theft, and potentially malware distribution. The attacker gains the ability to execute arbitrary JavaScript code in the victim's browser, compromising their session and data [2].
Mitigation
No specific patched version or release date is available in the provided references. Recommended remediation steps include implementing input validation to reject special characters and using an allow-list approach, as well as output encoding functions like htmlspecialchars() or htmlentities(). Security headers such as Content-Security-Policy and X-XSS-Protection can also help mitigate the impact [2].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unsanitized user input in the URL parameter 'page' is directly reflected in the page output [ref_id=1]."
Attack vector
The vulnerability exists in the index.php file and can be initiated remotely without authentication [ref_id=1]. An attacker can craft a URL that includes a malicious payload within the 'page' parameter. When a victim visits this URL, the injected script is executed within the victim's browser context, potentially leading to session hijacking, unauthorized actions, or data theft [ref_id=1]. The attack requires no special privileges, only that the victim visits a crafted link [ref_id=1].
Affected code
The vulnerability is located in the index.php file, specifically concerning the handling of the 'page' URL parameter [ref_id=1]. User-supplied input in this parameter is reflected directly in the page output without proper sanitization, leading to the cross-site scripting flaw [ref_id=1].
What the fix does
The advisory recommends input validation to reject special characters and use an allow-list approach, as well as output encoding using functions like htmlspecialchars() or htmlentities() [ref_id=1]. Implementing these measures would prevent the direct reflection of unsanitized user input, thereby mitigating the cross-site scripting vulnerability.
Preconditions
- inputThe 'page' URL parameter must be controllable by the attacker.
- networkThe vulnerability is remotely exploitable.
- authNo authentication is required to exploit this vulnerability.
Reproduction
Visit URL: http://[target]/index.php?page=%27)</script><script>alert(0)</script>(%27 Observe JavaScript execution [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.