Stored Cross-Site Scripting (XSS) in Smart School
Smart School v7.0
INCIBE has coordinated the publication of a medium-severity vulnerability that affects Smart School, a system for managing schools. This vulnerability was discovered by Gonzalo Aguilar García (6h4ack).
This vulnerability has been assigned the following code, CVSS 4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2025-41107: CVSS v4.0: 5.1 | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. | CWE-79.
No solution has been reported at this time.
CVE-2025-41107: Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details.
