All advisories

SK-2026-001

Published

Stored Cross-Site Scripting in Gosfem School Management System

Stored Cross-Site Scripting vulnerability in the public admission application form allowing arbitrary JavaScript execution in administrative interfaces.

Published
Advisory
SK-2026-001
CVE
To be assigned

Summary

A Stored Cross-Site Scripting (Stored XSS) vulnerability was identified in the admission application functionality of the Gosfem School Management System.

The affected endpoint:

http://localhost/applicationForm/index/validate

fails to properly sanitize user-supplied input before storing and subsequently rendering it within administrative interfaces. The vulnerability was confirmed in the following admission form fields:

  • Applicant Name
  • Address
  • Age

Because submitted data is stored and later viewed by privileged users, malicious JavaScript supplied by an attacker can execute in the browsers of administrative personnel.

Affected Component

  • Product: Gosfem School Management System
  • Component: Admission Application Form
  • Endpoint: /applicationForm/index/validate
  • Vulnerability Type: Stored Cross-Site Scripting (CWE-79)

Technical Details

The application accepts user-controlled input from the public admission form and persists the submitted data without sufficient sanitization or output encoding.

An attacker can submit crafted JavaScript payloads within the vulnerable admission form fields. When administrative users access submitted admission records through the ERP dashboard, the payload executes within their browser context.

Example Payload

<script>alert(document.domain)</script>

The payload is successfully stored by the application and triggered when the affected admission record is viewed.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of an authenticated administrative user.

A significant aspect of this issue is that the vulnerable admission form is intended to be publicly accessible. As a result, an attacker does not require authentication to submit a malicious payload. Once the application is deployed and reachable from the internet, any external user can deliver a stored XSS payload that executes when viewed by administrative personnel.

Steps to Reproduce

  1. Visit the admission application form.
  2. Insert a JavaScript payload into one of the vulnerable fields (Applicant Name, Address, or Age).
  3. Submit the application.
  4. Access the submitted application through the administrative interface.
  5. Observe that the injected JavaScript executes in the administrator's browser.

Remediation

The vendor should:

  • Apply context-aware output encoding for all user-controlled content.
  • Implement server-side input validation and sanitization.
  • Restrict Applicant Name, Address, Age, and similar fields to expected character sets where appropriate.
  • Deploy a restrictive Content Security Policy (CSP).
  • Review all admission-related input fields for similar vulnerabilities.
  • Conduct security testing of all user-supplied data flows before deployment.

Credit

Discovered and reported by Suraj Kumar H M.