Skip to content

Stored Cross-Site Scripting (XSS) Vulnerability in Bus Driver Name Field of School Management System #29

New issue
New issue
Open
Open
Stored Cross-Site Scripting (XSS) Vulnerability in Bus Driver Name Field of School Management System#29
@whoisrushi

Description

@whoisrushi
whoisrushi
opened on Nov 1, 2025

Summary:
A stored cross-site scripting (XSS) vulnerability exists in the bus driver name field in the Bus Service module. Unsanitized input is stored in the application database and rendered later without escaping, allowing attacker-controlled HTML/JavaScript to execute in any user’s browser (admin, teacher, owner, student) who views the bus details.

Steps to Reproduce:

  1. Log in as an admin (or any role that can create/edit bus details).
  2. Go to the Bus Service → Bus Details page (the page/form used to add or edit a bus/driver).
  3. In the Driver Name input, enter the following payload:
    <img src=x onerror=alert(/Stored_XSS/)>
  4. Click Save (or Update). An alert popup appears immediately.
  5. Refresh the Bus Details listing or visit the page that displays bus driver names. The alert popup appears again — confirming a persistent (stored) XSS.

Vendor of the product(s) info:
ProjectsAndPrograms

Affected product(s)/code base info:
Product: school-management-system
Version: Git commit 6b6fae5 (tested Nov 2025)

Impact:
An attacker can persist JavaScript that executes in the context of any user who views the page, which may lead to:
Cookie/session theft (if cookies are not flagged HttpOnly or other mitigations missing)
Account takeover (via CSRF+stored XSS or stolen session tokens)
Defacement of site content
Persistent browser-based attacks and targeted phishing via UI manipulation

Affected Project:

GitHub repo: /ProjectsAndPrograms/school-management-system

Affected File: bus-details.php

Recommendation :
Escape output on render: use htmlspecialchars() (or equivalent) when printing untrusted data.
Validate and sanitize input server-side; consider whitelist validation for driver names (letters, spaces, limited punctuation).
Add Content-Security-Policy (CSP) to reduce impact of injected scripts.
Set cookies to HttpOnly; Secure; SameSite=Strict where appropriate.

POC: https://drive.google.com/file/d/1cDu67rWuXbIyhqFgXiOHiOyUAzaiD_4S/view?usp=sharing

Discovered by:
Team DisclosureX

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions