Stored XSS in Coaching Management System PHP: Session Hijacking & Privilege Escalation

Vulnerability Summary Vulnerability ID: #802264 Vulnerability Title: Code-Projects Coaching Management System in PHP Unknown Cross-Site Scripting Vulnerability Type: Cross-Site Scripting (XSS) Severity: Low-privileged users can inject malicious scripts Overview A Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the Coaching Management System in PHP. This vulnerability allows low-privileged users (such as students) to inject malicious JavaScript code, which is then stored and executed when viewed by high-privileged users (such as administrators or teachers). Impact Scope Session Hijacking: Due to the lack of HttpOnly protection on session cookies, attackers can exploit this vulnerability to hijack sessions. Privilege Escalation: Attackers can exploit this vulnerability to perform privileged operations, escalating from a student role to an administrator role, resulting in complete system takeover. Multi-User Impact: The vulnerability also exists in the reply functionality, allowing cross-role exploitation and affecting multiple user roles. Remediation The page does not provide specific remediation code, but based on the vulnerability description, the following measures are recommended: 1. Input Validation and Filtering: Strictly validate and filter all user input (especially content submitted to the database), escaping special characters. 2. Set HttpOnly Flag: Set the flag for session cookies to prevent JavaScript access to cookies, thereby reducing the risk of session hijacking. 3. Output Encoding: Perform appropriate HTML entity encoding when outputting user data to web pages. Proof of Concept (POC) The page does not contain a specific POC code block, but provides a link to the GitHub repository where the vulnerability exists:

Goal Reached Thanks to every supporter — we hit 100%!

Stored XSS in Coaching Management System PHP: Session Hijacking & Privilege Escalation