Cross-Role Stored Cross-Site Scripting in Department Management Functionality in Gosfem School Management System

Summary

A Stored Cross-Site Scripting (Stored XSS) vulnerability was identified in the department management functionality of the Gosfem School Management System.

The vulnerability exists in the Department Name and Department Description fields of the department creation form. User-supplied input is stored without sufficient sanitization or output encoding and is subsequently rendered throughout the application.

The issue enables an authenticated HR user to store malicious JavaScript that executes in the browsers of users assigned to the affected department as well as Administrator accounts when viewing department-related information, creating a cross-role attack scenario.

Affected Component

• Product: Gosfem School Management System

• Component: Department Management

• Affected Fields:

  • Department Name
  • Department Description

• Vulnerability Type: Stored Cross-Site Scripting (CWE-79)

Technical Details

The application allows HR users to create and manage departments using Department Name and Department Description fields.

Input supplied to these fields is stored by the application and later rendered in department-related interfaces without proper output encoding.

An authenticated HR user can inject arbitrary JavaScript into either field. When users assigned to the affected department or Administrators access interfaces displaying the department information, the stored payload executes within their browser context.

Testing confirmed execution of stored payloads in both department-assigned user accounts and Administrator accounts, demonstrating a cross-role Stored XSS condition.

Example Payload

<script>alert(document.domain)</script>

The payload is successfully stored and executes when the affected department information is rendered.

Impact

Successful exploitation allows an authenticated HR user to execute arbitrary JavaScript within the browser context of other users interacting with the application.

The vulnerability creates a cross-role attack path in which a lower-privileged management user can store a malicious payload that is later executed when department-assigned users or Administrators view the affected department information.

Because department information may be displayed throughout the application, malicious payloads can affect multiple users associated with the department.

Steps to Reproduce

1. Authenticate to the application using an HR account.
2. Navigate to the department management functionality.
3. Create a new department or edit an existing department.
4. Insert a JavaScript payload into the Department Name or Department Description field.
5. Save the department record.
6. Authenticate using a user assigned to the affected department or an Administrator account.
7. Navigate to an interface displaying the department information.
8. Observe that the injected JavaScript executes in the viewer's browser.

Remediation

The vendor should:

• Apply context-aware output encoding before rendering department information.
• Validate and sanitize all user-supplied input fields.
• Restrict department names and descriptions to expected content where appropriate.
• Deploy a restrictive Content Security Policy (CSP).
• Review all HR management modules for similar Stored XSS vulnerabilities.
• Conduct a comprehensive audit of user-controlled text fields rendered within administrative and employee-facing interfaces.

Credit

Discovered and reported by Suraj Kumar H M.