Vulners
Lucene search
📄 Create School Management System 1.0 Cross Site Scripting
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2025-52187 | 22 Jul 202510:06 | – | circl |
 | Get Projects School Management System 安全漏洞 | 30 Jul 202500:00 | – | cnnvd |
 | CVE-2025-52187 | 30 Jul 202500:00 | – | cve |
 | CVE-2025-52187 | 30 Jul 202500:00 | – | cvelist |
 | EUVD-2025-23199 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-52187 | 30 Jul 202520:15 | – | nvd |
 | CVE-2025-52187 | 30 Jul 202520:15 | – | osv |
 | PT-2025-31434 · Unknown · Getprojectsidea Create School Management System | 30 Jul 202500:00 | – | ptsecurity |
 | CVE-2025-52187 | 1 Aug 202500:06 | – | redhatcve |
 | CVE-2025-52187 | 30 Jul 202500:00 | – | vulnrichment |
10
Hello Full Disclosure community,
I’m sharing details of a recently assigned CVE affecting a widely used
open‑source School Management System (PHP/MySQL).
--------------------------------------------
CVE ID: CVE‑2025‑52187
Vulnerability Type: Stored Cross‑Site Scripting (XSS)
Attack Vector: Remote
Discoverer: Sanjay Singh
Vendor Repository:
https://github.com/GetProjectsIdea/Create-School-Management-System-with-PHP-MySQL
Version Tested: 1.0
--------------------------------------------
Description:
The application fails to properly sanitize user-supplied input in
`my_profile_update_form1.php` before storing it in the database. When the
stored data is later rendered on pages such as `get_student_profile.php` or
`dashboard1.php`, embedded JavaScript code executes in the context of the
victim’s browser.
Impacts:
• Session hijacking
• Data exfiltration
• Phishing and fake login forms
• Keystroke logging
• Defacement
• Privilege escalation if viewed by an administrator
--------------------------------------------
Proof of Concept (PoC):
1. Log in as a student user.
2. Navigate to the profile update form (`my_profile_update_form1.php`).
3. In an input field (e.g., Name With Initials), inject:
<script>alert('XSS-PoC')</script>
4. Submit the form.
5. View the updated profile or dashboard (`get_student_profile.php` or
`dashboard1.php`) to trigger the payload.
--------------------------------------------
Mitigation Recommendations:
• Escape and sanitize all user input before storage/output (e.g., using
htmlspecialchars()).
• Implement a strict Content Security Policy (CSP).
• Perform code reviews and security audits.
Reference:
https://github.com/GetProjectsIdea/Create-School-Management-System-with-PHP-MySQL
This vulnerability has been responsibly disclosed and assigned
CVE‑2025‑52187. Full write‑up with additional details and mitigations is
available on Medium:
https://medium.com/@sanjay70023/cve-2025-52187-stored-xss-in-school-management-system-php-mysql-79cadcd6340f
If there are any questions or further information required, feel free to
reach out.
Best regards,
Sanjay Singh
Independent Security Researcher
LinkedIn <https://www.linkedin.com/in/sanjay70023/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Jul 2025 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.18.2
EPSS0.00186
SSVC