Cross Site Scripting - School Dormitory Management System

May 11, 2022

Product School Dormitory Management System
Product Link Link
Vulnerability Cross Site Scripting
Severity medium


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

The ?page= parameter in the request URL indicated which page is being requested. However, due to a misimplementation of Javascript funtion, it is possible to inject a malicious script. An attacker can escape a line of code and insert his own.

The vulnerability appears in inc/navigation.php file:

    var page = '<?php echo isset($_GET['page']) ? $_GET['page'] : 'home' ?>';
    var s = '<?php echo isset($_GET['s']) ? $_GET['s'] : '' ?>';
    page = page.replace(/\//g,'_');

    if($('.nav-link.nav-'+page).length > 0){
    if($('.nav-link.nav-'+page).hasClass('tree-item') == true){
    if($('.nav-link.nav-'+page).hasClass('nav-is-tree') == true){


By passing '; alert(1); ' to the ?page= parameter the code will be injected and executed when the page is loaded.