A recently disclosed vulnerability in the code-projects Online Exam Mastering System 1.0 exposes users to reflected Cross-Site Scripting (XSS) attacks. The flaw, tracked as CVE-2025-28121, allows attackers to inject malicious scripts via the feedback.php endpoint. This vulnerability has been publicly documented on Exploit-DB and GitHub, with proof-of-concept (PoC) examples demonstrating its exploitation1.
Summary for Security Leaders
The vulnerability affects the PHP-based Online Exam Mastering System 1.0, specifically through the q parameter in feedback.php. Attackers can craft URLs containing JavaScript payloads, which execute when victims visit the manipulated link. Successful exploitation could lead to session hijacking, credential theft, or privilege escalation. Mitigation requires input sanitization or Content Security Policy (CSP) headers2.
- CVE ID: CVE-2025-28121 (CVSS pending)
- Affected Version: Online Exam Mastering System 1.0
- Vulnerable Parameter:
qinfeedback.php - PoC:
http://target/feedback.php?q=<script>alert('XSS')</script> - Mitigation: Input validation using
htmlspecialchars()or CSP headers
Technical Analysis
The reflected XSS vulnerability stems from unsanitized user input in the q parameter of feedback.php. When the parameter value is echoed back in the HTTP response without proper encoding, arbitrary JavaScript can execute in the victim’s browser. The PoC from Exploit-DB confirms this behavior with a simple alert dialog payload1.
Pruthu Raut, the discoverer, published a GitHub repository detailing the exploit. The README includes a video demonstration showing cookie theft via document.cookie exfiltration. Related vulnerabilities in similar systems (e.g., SourceCodester Employee Management System 1.0) suggest a pattern of inadequate input sanitization in PHP-based web applications3.
Remediation and Best Practices
To mitigate this vulnerability, developers should:
- Sanitize input using PHP’s
htmlspecialchars()or OWASP ESAPI. - Implement CSP headers to restrict inline script execution.
- Audit similar endpoints for unsanitized output.
For system administrators, immediate actions include:
- Monitoring web server logs for suspicious
feedback.phprequests. - Applying vendor patches if available.
- Deploying WAF rules to block XSS payloads.
Conclusion
CVE-2025-28121 highlights the persistent risk of XSS in web applications lacking input validation. While the impact is limited to reflected XSS, the ease of exploitation warrants prompt remediation. Organizations using affected systems should prioritize updates and monitor for exploit attempts.
References
- [Exploit-DB 52272] “code-projects Online Exam Mastering System 1.0 – Reflected XSS,” Exploit Database, 2025. [Online]. Available: https://www.exploit-db.com/exploits/52272
- [GitHub] pruthuraut/CVE-2025-28121, “PoC for reflected XSS in Online Exam Mastering System,” 2025. [Online]. Available: https://github.com/pruthuraut/CVE-2025-28121
- [Vulners] “CVE-2025-28121 Detail,” Vulners.com, 2025. [Online]. Available: https://vulners.com/cve/CVE-2025-28121
