code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)

vendor:

Online Exam Mastering System

by:

Pruthu Raut

6.1

CVSS

HIGH

Cross-Site Scripting (XSS)

CWE

Product Name: Online Exam Mastering System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2025-28121

CPE: a:code-projects:online_exam_mastering_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux

2025

code-projects Online Exam Mastering System 1.0 – Reflected Cross-Site Scripting (XSS)

The code-projects Online Exam Mastering System 1.0 is prone to a Reflected Cross-Site Scripting (XSS) vulnerability in the 'q' parameter of feedback.php. This issue occurs because the application does not properly sanitize user-supplied input, enabling an attacker to execute arbitrary JavaScript code.

Mitigation:

To mitigate this vulnerability, it is recommended to use functions like `htmlspecialchars()` for input sanitization, implement Content Security Policy (CSP) headers, and refrain from echoing unsanitized user inputs into the HTML response.

Source

Exploit-DB raw data:

# Exploit Title: code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)
# Google Dork: inurl:/exam/feedback.php
# Date: 2025-04-19
# Exploit Author: Pruthu Raut
# Vendor Homepage: https://code-projects.org/
# Software Link: https://code-projects.org/online-exam-system-in-php-with-source-code/
# Version: 1.0
# Tested on: XAMPP on Windows 10 / Kali Linux (Apache + PHP 7.x)
# CVE : CVE-2025-28121

# Description:
# code-projects Online Exam Mastering System 1.0 is vulnerable to a Reflected XSS vulnerability in feedback.php via the "q" parameter.
# The application fails to sanitize user input properly, allowing attackers to inject arbitrary JavaScript code.

# Vulnerable URL:
# http://localhost/exam/feedback.php?q=Thank%20you%20for%20your%20valuable%20feedback

# PoC (Proof of Concept):
# Payload:
http://localhost/exam/feedback.php?q=<script>alert('XSS')</script>

# Steps to Reproduce:
# 1. Host the application locally using XAMPP or a similar stack.
# 2. Open the vulnerable URL with the payload in a browser.
# 3. The JavaScript alert will be executed, demonstrating reflected XSS.

# Impact:
# - Account takeover via stolen cookies if a privileged user clicks the malicious link.
# - Full control of victim’s session context if exploited properly.
# - Can be chained with social engineering to target administrators.

# Mitigation:
# - Use `htmlspecialchars()` or a proper encoding mechanism to sanitize user input.
# - Implement Content Security Policy (CSP) headers.
# - Avoid reflecting unsanitized GET parameters into the HTML response.