SourceCodester Student Grades Management System students.php cross site scripting

Vulnerability

A cross-site scripting (XSS) vulnerability exists in SourceCodester Student Grades Management System version 1.0. The vulnerability is located in the file students.php and involves manipulation of the Remarks argument. The application fails to neutralize user-supplied input before including it in web page output, enabling the injection of arbitrary HTML and JavaScript. The exploit is publicly available, as noted in the CVE description and confirmed in the repository reference [2].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. The attacker sends a crafted request to students.php with malicious script code embedded in the Remarks parameter. When the application reflects or stores this input, the script executes in the context of any user viewing the affected page. The exploit requires no special privileges, write access, or user interaction beyond the victim accessing the processed output [1], [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of an authenticated or unauthenticated user viewing the injected page. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data displayed in the context of the student management system. The impact is limited to the client side, but the attacker gains a foothold within the application's trusted context [2].

Mitigation

As of the publication date (2026-05-25), no official patch has been released by SourceCodester. The vendor's site [1] does not mention an update for this vulnerability. The affected version is Student Grades Management System 1.0. Users should consider applying input validation and output encoding on the Remarks parameter, or restrict access to students.php until a fix is made available. The vulnerability is publicly listed with an available exploit, increasing the urgency for remediation [2].