Vulnerability Key Information Vulnerability Type Type: Stored Cross-Site Scripting (XSS) - Requires Authentication Vulnerability Location Affected Page: - Add New Grade/Remarks and Recent Grades Display Vulnerability Details Affected Parameter: (POST) Description: The field submitted when creating a grade is stored in the database and later displayed on the page without proper HTML encoding. This allows authenticated users to store and trigger JavaScript execution, affecting other users (or the same user upon page reload). Reproduction Steps 1. Log in to the application using valid credentials (teacher account). 2. Navigate to "Grades" → "Add New Grade" (page ). 3. Fill in required fields (student, subject, classroom, grade type, grade). In the field, input a JavaScript payload ( ). 4. After submission, view the "Recent Grades" table or reload . An alert box will pop up. Root Cause User-supplied is stored in the database and later echoed to the HTML page without proper output encoding or sanitization. Even though the INSERT operation uses PDO prepared statements to prevent SQL injection, the application still outputs raw to the page, enabling stored JavaScript to execute in users' browsers (stored XSS). Impact Attackers can inject and store malicious JavaScript code in the database (stored XSS). When other users or administrators view the affected page, the injected script executes in their browsers with the same privileges as legitimate users. This could lead to session hijacking, credential theft, application defacement, unauthorized actions on behalf of users, and potential malware distribution via the application interface. Mitigation Measures Output Encoding: Always sanitize and encode dynamic output before rendering using functions such as in PHP. Input Validation: Validate and restrict input fields (e.g., ) to conform to expected formats (e.g., allow only alphanumeric and basic punctuation), and sanitize user input before storing it in the database.