Cross-Account Stored Cross-Site Scripting in User Profile Name Field in Gosfem School Management System

---

Summary

A Cross-Account Stored Cross-Site Scripting (Stored XSS) vulnerability was identified in the user profile functionality of the Gosfem School Management System.

The vulnerability exists in the profile Name field, where user-supplied input is stored without sufficient sanitization or output encoding. Malicious JavaScript injected into this field is subsequently rendered throughout the application wherever the affected user's name is displayed.

The issue enables authenticated users to store malicious JavaScript that executes in the browsers of other users, including teachers and administrators, creating a cross-account attack scenario between user roles. Testing confirmed execution in both profile-related interfaces and staff listing pages accessible through the application's main dashboard.

Affected Component

• Product: Gosfem School Management System
• Component: User Profile Management
• Affected Field: Name
• Vulnerability Type: Stored Cross-Site Scripting (CWE-79)

Technical Details

The application allows authenticated users across multiple non-administrative roles to modify their profile information, including the Name field.

Input supplied to the Name field is stored by the application and later rendered without proper output encoding. An authenticated attacker can inject arbitrary JavaScript into this field, which is subsequently displayed throughout the application wherever the affected user's profile information appears.

Testing confirmed that stored payloads execute not only for the attacking account but also when viewed by other users. The payload was observed to execute across multiple user accounts and roles, including teacher and administrator accounts, demonstrating a cross-account Stored XSS condition.

Additionally, the affected profile name is rendered within staff directory and staff listing pages available through the application's main dashboard. Stored payloads were observed executing when these pages displayed affected teaching and non-teaching staff records.

Student records were not observed to trigger the vulnerability because the affected profile information was not rendered within the tested dashboard staff listing interfaces.

Example Payload

<script>alert(document.domain)</script>

The payload is successfully stored and executes when the affected profile information is rendered within application interfaces.

Impact

Successful exploitation allows an authenticated user to execute arbitrary JavaScript within the browser context of other users interacting with the application.

The vulnerability creates a cross-account attack path in which a lower-privileged authenticated user can store a malicious payload that is later executed in the browsers of higher-privileged users who view the affected profile information.

Testing confirmed execution of stored payloads when viewed by users across multiple roles, including teachers and administrators. Execution was also observed through staff directory and staff listing pages displaying teaching and non-teaching personnel, increasing the exposure of the vulnerability across the application.

Any interface that renders the affected user's name may trigger execution of the stored payload.

Steps to Reproduce

1. Authenticate to the application using a non-administrative user account.
2. Navigate to the profile management page.
3. Modify the Name field with a JavaScript payload.
4. Save the profile information.
5. Access an interface that displays the affected user's name from another user account.
6. Observe that the injected JavaScript executes when the profile information is rendered.
7. Navigate to staff directory or staff listing pages that display teaching or non-teaching personnel.
8. Observe that the stored payload executes when the affected user record is displayed.
9. Repeat using teacher and administrator accounts to verify cross-account execution.

Remediation

The vendor should:

• Apply context-aware output encoding before rendering profile data.
• Validate and sanitize user-supplied profile information.
• Restrict Name fields to expected character sets and lengths where appropriate.
• Deploy a restrictive Content Security Policy (CSP).
• Review all user-controlled profile attributes for similar vulnerabilities.
• Perform a comprehensive review of all locations where user profile information is rendered, including profile pages, directories, staff listings, and administrative interfaces.

Credit

Discovered and reported by Suraj Kumar H M.