Cross-Role Stored Cross-Site Scripting in Teacher Leave Application Functionality in Gosfem School Management System

Summary

A Stored Cross-Site Scripting (Stored XSS) vulnerability was identified in the teacher leave application functionality of the Gosfem School Management System.

The vulnerability exists in the Reason field of the leave application form, where user-supplied input is stored without sufficient sanitization or output encoding. Malicious JavaScript injected into this field is subsequently rendered within administrative interfaces.

The issue enables an authenticated teacher to store malicious JavaScript that executes in the browser of an Administrator when reviewing leave applications, creating a cross-role attack scenario.

Affected Component

• Product: Gosfem School Management System
• Component: Teacher Leave Management
• Endpoint: /teacher/leave/
• Affected Field: Reason
• Vulnerability Type: Stored Cross-Site Scripting (CWE-79)

Technical Details

The application allows teachers to submit leave requests containing a free-text reason.

Input supplied to the Reason field is stored by the application and later rendered within administrative leave management interfaces without proper output encoding.

An authenticated teacher can inject arbitrary JavaScript into the Reason field. When an Administrator reviews the submitted leave request, the stored payload executes within the Administrator's browser context.

Testing confirmed execution of stored payloads within the administrative leave approval interface, demonstrating a cross-role Stored XSS condition where a lower-privileged teacher can trigger script execution in a higher-privileged Administrator session.

Example Payload

<script>alert(document.domain)</script>

The payload is successfully stored and executes when the affected leave application is viewed by an Administrator.

Impact

Successful exploitation allows an authenticated teacher to execute arbitrary JavaScript within the browser context of an Administrator.

The vulnerability creates a cross-role attack path in which a lower-privileged teacher account can store a malicious payload that is later executed when an Administrator reviews the submitted leave request.

Because leave applications are processed through administrative workflows, malicious payloads may be triggered whenever the affected record is viewed within the leave management interface.

Steps to Reproduce

1. Authenticate to the application using a teacher account.
2. Navigate to the leave application functionality.
3. Insert a JavaScript payload into the Reason field.
4. Submit the leave request.
5. Authenticate using an Administrator account.
6. Navigate to the leave approval or leave management interface.
7. Open or review the submitted leave application.
8. Observe that the injected JavaScript executes in the Administrator's browser.

Remediation

The vendor should:

• Apply context-aware output encoding before rendering leave application content.
• Validate and sanitize all user-supplied input fields.
• Restrict the Reason field to expected content where appropriate.
• Deploy a restrictive Content Security Policy (CSP).
• Review all approval and workflow-related interfaces for similar Stored XSS vulnerabilities.
• Conduct a comprehensive audit of user-controlled text fields rendered within administrative interfaces.

Credit

Discovered and reported by Suraj Kumar H M.