code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)

# Exploit Title: code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)
# Google Dork: inurl:/exam/feedback.php
# Date: 2025-04-19
# Exploit Author: Pruthu Raut
# Vendor Homepage: https://code-projects.org/
# Software Link: https://code-projects.org/online-exam-system-in-php-with-source-code/
# Version: 1.0
# Tested on: XAMPP on Windows 10 / Kali Linux (Apache + PHP 7.x)
# CVE : CVE-2025-28121

# Description:
# code-projects Online Exam Mastering System 1.0 is vulnerable to a Reflected XSS vulnerability in feedback.php via the "q" parameter.
# The application fails to sanitize user input properly, allowing attackers to inject arbitrary JavaScript code.

# Vulnerable URL:
# http://localhost/exam/feedback.php?q=Thank%20you%20for%20your%20valuable%20feedback

# PoC (Proof of Concept):
# Payload:
http://localhost/exam/feedback.php?q=<script>alert('XSS')</script>

# Steps to Reproduce:
# 1. Host the application locally using XAMPP or a similar stack.
# 2. Open the vulnerable URL with the payload in a browser.
# 3. The JavaScript alert will be executed, demonstrating reflected XSS.

# Impact:
# - Account takeover via stolen cookies if a privileged user clicks the malicious link.
# - Full control of victim’s session context if exploited properly.
# - Can be chained with social engineering to target administrators.

# Mitigation:
# - Use `htmlspecialchars()` or a proper encoding mechanism to sanitize user input.
# - Implement Content Security Policy (CSP) headers.
# - Avoid reflecting unsanitized GET parameters into the HTML response.