Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-46178 PoC — CloudClassroom-PHP-Project 安全漏洞

Source
https://github.com/SacX-7/CVE-2025-46178
Associated Vulnerability
Title:CloudClassroom-PHP-Project 安全漏洞 (CVE-2025-46178)
Description:Cross-Site Scripting (XSS) vulnerability exists in askquery.php via the eid parameter in the CloudClassroom PHP Project. This allows remote attackers to inject arbitrary JavaScript in the context of a victim s browser session by sending a crafted URL, leading to session hijacking or defacement.
Readme
CVE-2025-46178
------------------------------------------

Cross-Site Scripting (XSS) vulnerability exists in askquery.php via the
eid parameter in the CloudClassroom PHP Project. This allows remote
attackers to inject arbitrary JavaScript in the context of a victim s
browser session by sending a crafted URL, leading to session hijacking
or defacement.
------------------------------------------
Additional Information
The payload demonstrates successful JavaScript execution using the alert(9734) function.
Input is not being properly sanitized or encoded before rendering, exposing the application to reflected XSS.

To mitigate this issue:
------------------------------------------

Use server-side input validation
Encode output properly (especially for HTML contexts)
Consider using security libraries like OWASP ESAPI or frameworks with built-in XSS protection

Vulnerability Type
------------------------------------------
Cross Site Scripting (XSS)

Vendor of Product
------------------------------------------
https://github.com/mathurvishal/CloudClassroom-PHP-Project



Affected Product Code Base
------------------------------------------
https://github.com/mathurvishal/CloudClassroom-PHP-Project 1.0 - https://github.com/mathurvishal/CloudClassroom-PHP-Project 1.0


Affected Component
------------------------------------------
askquery.php, eid GET parameter, frontend HTML rendering logic



Attack Vectors
------------------------------------------
An attacker can inject malicious JavaScript payloads via the eid GET parameter.
When a victim visits a crafted URL, the script executes in their browser, potentially stealing cookies or performing unauthorized actions.

1. click on http://localhost/CloudClassroom-PHP-Project-master/askquery.php?eid=testing%40example.com%27%22()%26%25%3Czzz%3E%3CScRiPt%20%3Ealert(9734)%3C/ScRiPt%3E
2. you will see alert

Reference
https://owasp.org/www-community/attacks/xss/

------------------------------------------
Discoverer : saurabh
------------------------------------------
linkdin : https://www.linkedin.com/in/saurabh-b294b21aa/
------------------------------------------
File Snapshot

 [4.0K]  /data/pocs/6e7bf6b66de50145b2231db1debc7092a04b728f
├── [1.8K]  Cross-Site Scripting (XSS) in CloudClassroom PHP Project
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →