Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-46178 PoC — CloudClassroom-PHP-Project 安全漏洞

Source
https://github.com/SacX-7/CVE-2025-46178
Associated Vulnerability
Title:CloudClassroom-PHP-Project 安全漏洞 (CVE-2025-46178)
Description:CloudClassroom-PHP-Project是Vishal Mathur个人开发者的一个云课堂网站。 CloudClassroom-PHP-Project存在安全漏洞,该漏洞源于askquery.php中的eid参数容易受到跨站脚本攻击,可能导致会话劫持或篡改。
Readme
CVE-2025-46178
------------------------------------------

Cross-Site Scripting (XSS) vulnerability exists in askquery.php via the
eid parameter in the CloudClassroom PHP Project. This allows remote
attackers to inject arbitrary JavaScript in the context of a victim s
browser session by sending a crafted URL, leading to session hijacking
or defacement.
------------------------------------------
Additional Information
The payload demonstrates successful JavaScript execution using the alert(9734) function.
Input is not being properly sanitized or encoded before rendering, exposing the application to reflected XSS.

To mitigate this issue:
------------------------------------------

Use server-side input validation
Encode output properly (especially for HTML contexts)
Consider using security libraries like OWASP ESAPI or frameworks with built-in XSS protection

Vulnerability Type
------------------------------------------
Cross Site Scripting (XSS)

Vendor of Product
------------------------------------------
https://github.com/mathurvishal/CloudClassroom-PHP-Project



Affected Product Code Base
------------------------------------------
https://github.com/mathurvishal/CloudClassroom-PHP-Project 1.0 - https://github.com/mathurvishal/CloudClassroom-PHP-Project 1.0


Affected Component
------------------------------------------
askquery.php, eid GET parameter, frontend HTML rendering logic



Attack Vectors
------------------------------------------
An attacker can inject malicious JavaScript payloads via the eid GET parameter.
When a victim visits a crafted URL, the script executes in their browser, potentially stealing cookies or performing unauthorized actions.

1. click on http://localhost/CloudClassroom-PHP-Project-master/askquery.php?eid=testing%40example.com%27%22()%26%25%3Czzz%3E%3CScRiPt%20%3Ealert(9734)%3C/ScRiPt%3E
2. you will see alert

Reference
https://owasp.org/www-community/attacks/xss/

------------------------------------------
Discoverer : saurabh
------------------------------------------
linkdin : https://www.linkedin.com/in/saurabh-b294b21aa/
------------------------------------------
File Snapshot

 [4.0K]  /data/pocs/6e7bf6b66de50145b2231db1debc7092a04b728f
├── [1.8K]  Cross-Site Scripting (XSS) in CloudClassroom PHP Project
└── [2.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.