code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)
code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)
AI Analysis
Technical Summary
The code-projects Online Exam Mastering System version 1.0 suffers from a reflected Cross-Site Scripting (XSS) vulnerability in the feedback.php page, specifically via the "q" GET parameter. This vulnerability arises because the application fails to properly sanitize or encode user-supplied input before reflecting it back in the HTML response. An attacker can craft a malicious URL containing arbitrary JavaScript code embedded within the "q" parameter. When a victim, such as an administrator or privileged user, clicks this URL, the injected script executes in their browser context. The provided proof-of-concept demonstrates that a simple payload like <script>alert('XSS')</script> triggers JavaScript execution, confirming the vulnerability. The exploit code is written in Perl and targets the vulnerable parameter by sending crafted HTTP requests. The vulnerability was tested on a local setup using XAMPP with Apache and PHP 7.x, indicating the environment in which the flaw manifests. The impact of this reflected XSS includes potential account takeover through cookie theft, session hijacking, and the ability to execute arbitrary scripts in the victim’s browser. Attackers can leverage social engineering techniques to trick users into clicking malicious links, thereby compromising session integrity and confidentiality. No official patch or update is currently available from the vendor, and no known exploits are reported in the wild yet. However, the presence of exploit code on Exploit-DB increases the risk of exploitation. The vulnerability is identified as CVE-2025-28121. Mitigation involves proper input sanitization using functions like htmlspecialchars() in PHP to encode special characters, implementing Content Security Policy (CSP) headers to restrict script execution, and avoiding direct reflection of unsanitized GET parameters in HTML responses. These measures reduce the risk of script injection and execution. Overall, this reflected XSS vulnerability poses a moderate risk to deployments of this online exam system, especially where privileged users interact with the feedback functionality via web browsers.
Potential Impact
For European organizations using the code-projects Online Exam Mastering System 1.0, this vulnerability can lead to significant security risks. Educational institutions, certification bodies, and training providers relying on this system may face session hijacking and account compromise if attackers successfully exploit the reflected XSS. This could result in unauthorized access to exam data, manipulation of feedback or exam results, and exposure of sensitive user information. The ability to execute arbitrary JavaScript also opens avenues for phishing attacks and malware delivery within trusted environments. Given the nature of the application, attackers targeting administrators or instructors could disrupt exam integrity or gain elevated privileges. The impact on confidentiality and integrity is notable, while availability is less directly affected. Since the vulnerability requires user interaction (clicking a malicious link), social engineering is a critical factor in exploitation. European organizations must be vigilant, especially those with web-facing instances of this software accessible to external users or staff.
Mitigation Recommendations
1. Immediately audit all instances of the Online Exam Mastering System 1.0 to identify exposure of the feedback.php?q parameter to external users. 2. Apply input sanitization by modifying the source code to use PHP's htmlspecialchars() or equivalent encoding functions on all reflected user inputs before rendering them in HTML. 3. Implement a strict Content Security Policy (CSP) header that restricts script sources to trusted domains and disallows inline scripts, mitigating the impact of injected scripts. 4. Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block common XSS payload patterns targeting the q parameter. 5. Educate users, especially administrators and instructors, about the risks of clicking untrusted links and encourage the use of security-aware browsing practices. 6. Monitor web server logs for suspicious requests containing script tags or unusual query parameters targeting feedback.php. 7. If possible, upgrade or patch the system once the vendor releases an official fix. 8. Restrict access to the feedback.php page to authenticated users only, reducing exposure to anonymous attackers. 9. Conduct regular security assessments and penetration tests focusing on input validation and output encoding in all web application components.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria
Indicators of Compromise
- exploit-code: # Exploit Title: code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS) # Google Dork: inurl:/exam/feedback.php # Date: 2025-04-19 # Exploit Author: Pruthu Raut # Vendor Homepage: https://code-projects.org/ # Software Link: https://code-projects.org/online-exam-system-in-php-with-source-code/ # Version: 1.0 # Tested on: XAMPP on Windows 10 / Kali Linux (Apache + PHP 7.x) # CVE : CVE-2025-28121 # Description: # code-projects Online Exam Mastering System 1.0 is vulnerable to a Reflected XSS vulnerability in feedback.php via the "q" parameter. # The application fails to sanitize user input properly, allowing attackers to inject arbitrary JavaScript code. # Vulnerable URL: # http://localhost/exam/feedback.php?q=Thank%20you%20for%20your%20valuable%20feedback # PoC (Proof of Concept): # Payload: http://localhost/exam/feedback.php?q=<script>alert('XSS')</script> # Steps to Reproduce: # 1. Host the application locally using XAMPP or a similar stack. # 2. Open the vulnerable URL with the payload in a browser. # 3. The JavaScript alert will be executed, demonstrating reflected XSS. # Impact: # - Account takeover via stolen cookies if a privileged user clicks the malicious link. # - Full control of victim’s session context if exploited properly. # - Can be chained with social engineering to target administrators. # Mitigation: # - Use `htmlspecialchars()` or a proper encoding mechanism to sanitize user input. # - Implement Content Security Policy (CSP) headers. # - Avoid reflecting unsanitized GET parameters into the HTML response.
code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)
Description
code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)
AI-Powered Analysis
Technical Analysis
The code-projects Online Exam Mastering System version 1.0 suffers from a reflected Cross-Site Scripting (XSS) vulnerability in the feedback.php page, specifically via the "q" GET parameter. This vulnerability arises because the application fails to properly sanitize or encode user-supplied input before reflecting it back in the HTML response. An attacker can craft a malicious URL containing arbitrary JavaScript code embedded within the "q" parameter. When a victim, such as an administrator or privileged user, clicks this URL, the injected script executes in their browser context. The provided proof-of-concept demonstrates that a simple payload like <script>alert('XSS')</script> triggers JavaScript execution, confirming the vulnerability. The exploit code is written in Perl and targets the vulnerable parameter by sending crafted HTTP requests. The vulnerability was tested on a local setup using XAMPP with Apache and PHP 7.x, indicating the environment in which the flaw manifests. The impact of this reflected XSS includes potential account takeover through cookie theft, session hijacking, and the ability to execute arbitrary scripts in the victim’s browser. Attackers can leverage social engineering techniques to trick users into clicking malicious links, thereby compromising session integrity and confidentiality. No official patch or update is currently available from the vendor, and no known exploits are reported in the wild yet. However, the presence of exploit code on Exploit-DB increases the risk of exploitation. The vulnerability is identified as CVE-2025-28121. Mitigation involves proper input sanitization using functions like htmlspecialchars() in PHP to encode special characters, implementing Content Security Policy (CSP) headers to restrict script execution, and avoiding direct reflection of unsanitized GET parameters in HTML responses. These measures reduce the risk of script injection and execution. Overall, this reflected XSS vulnerability poses a moderate risk to deployments of this online exam system, especially where privileged users interact with the feedback functionality via web browsers.
Potential Impact
For European organizations using the code-projects Online Exam Mastering System 1.0, this vulnerability can lead to significant security risks. Educational institutions, certification bodies, and training providers relying on this system may face session hijacking and account compromise if attackers successfully exploit the reflected XSS. This could result in unauthorized access to exam data, manipulation of feedback or exam results, and exposure of sensitive user information. The ability to execute arbitrary JavaScript also opens avenues for phishing attacks and malware delivery within trusted environments. Given the nature of the application, attackers targeting administrators or instructors could disrupt exam integrity or gain elevated privileges. The impact on confidentiality and integrity is notable, while availability is less directly affected. Since the vulnerability requires user interaction (clicking a malicious link), social engineering is a critical factor in exploitation. European organizations must be vigilant, especially those with web-facing instances of this software accessible to external users or staff.
Mitigation Recommendations
1. Immediately audit all instances of the Online Exam Mastering System 1.0 to identify exposure of the feedback.php?q parameter to external users. 2. Apply input sanitization by modifying the source code to use PHP's htmlspecialchars() or equivalent encoding functions on all reflected user inputs before rendering them in HTML. 3. Implement a strict Content Security Policy (CSP) header that restricts script sources to trusted domains and disallows inline scripts, mitigating the impact of injected scripts. 4. Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block common XSS payload patterns targeting the q parameter. 5. Educate users, especially administrators and instructors, about the risks of clicking untrusted links and encourage the use of security-aware browsing practices. 6. Monitor web server logs for suspicious requests containing script tags or unusual query parameters targeting feedback.php. 7. If possible, upgrade or patch the system once the vendor releases an official fix. 8. Restrict access to the feedback.php page to authenticated users only, reducing exposure to anonymous attackers. 9. Conduct regular security assessments and penetration tests focusing on input validation and output encoding in all web application components.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52272
- Has Exploit Code
- true
- Code Language
- perl
Indicators of Compromise
Exploit Source Code
Exploit code for code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)
# Exploit Title: code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS) # Google Dork: inurl:/exam/feedback.php # Date: 2025-04-19 # Exploit Author: Pruthu Raut # Vendor Homepage: https://code-projects.org/ # Software Link: https://code-projects.org/online-exam-system-in-php-with-source-code/ # Version: 1.0 # Tested on: XAMPP on Windows 10 / Kali Linux (Apache + PHP 7.x) # CVE : CVE-2025-28121 # Description: # code-projects Online Exam Mastering System 1.0 is vuln... (1083 more characters)
Threat ID: 68489e777e6d765d51d546af
Added to database: 6/10/2025, 9:07:03 PM
Last enriched: 6/11/2025, 9:09:58 PM
Last updated: 8/12/2025, 12:33:33 AM
Views: 11
Related Threats
Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks
HighResearcher to release exploit for full auth bypass on FortiWeb
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighEncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumU.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.