CVE-2025-9595 Overview
CVE-2025-9595 is a reflected cross-site scripting (XSS) vulnerability [CWE-79] affecting code-projects Student Information Management System 1.0. The flaw resides in the /login.php endpoint, where the uname parameter is processed without proper sanitization or output encoding. Remote attackers can inject arbitrary JavaScript that executes in the victim's browser session when the crafted input is reflected back. Exploitation requires user interaction, such as convincing a victim to click a malicious link. Public disclosure of the exploit technique increases the likelihood of opportunistic abuse against exposed deployments.
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser via the uname parameter of /login.php, enabling session token theft, credential harvesting, and phishing overlays on the login page.
Affected Products
- itsourcecode Student Information Management System 1.0
- Deployments referencing the code-projects distribution of this application
- Web-facing instances exposing /login.php to untrusted networks
Discovery Timeline
- 2025-08-29 - CVE-2025-9595 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9595
Vulnerability Analysis
The vulnerability is a reflected cross-site scripting issue in the login handler of the Student Information Management System. When a user submits credentials to /login.php, the application echoes the supplied uname value back into the HTML response without applying context-appropriate escaping. This allows an attacker to inject HTML and JavaScript payloads that the victim's browser will render and execute in the origin of the vulnerable application.
Because the vulnerable endpoint is the login page itself, attackers can weaponize the flaw for credential theft by overlaying fake authentication prompts, or by exfiltrating any session state associated with the origin. The Exploit Prediction Scoring System (EPSS) data reflects a limited probability of near-term mass exploitation, but the public availability of the technique makes targeted use plausible.
Root Cause
The root cause is missing input validation and output encoding on the uname request parameter. The application concatenates user-controlled input into an HTML response context without invoking an HTML entity encoder or a templating engine with auto-escaping enabled. This is a classic instance of CWE-79: Improper Neutralization of Input During Web Page Generation.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a URL or form submission to /login.php containing a malicious uname value. The victim must open the crafted request, typically delivered by phishing email, chat, or a malicious referrer. Upon rendering, the injected script executes with the privileges of the vulnerable origin. See the GitHub CVE Issue #57 and VulDB #321769 references for further technical detail.
Detection Methods for CVE-2025-9595
Indicators of Compromise
- HTTP requests to /login.php containing angle brackets, script, onerror, onload, or URL-encoded equivalents (%3Cscript%3E) in the uname parameter
- Referrer headers pointing to external domains hosting redirect chains that terminate at /login.php
- Web server or WAF logs showing repeated malformed uname values from a single source address
Detection Strategies
- Deploy signatures matching common reflected XSS payloads (<script>, javascript:, event handlers) against the uname query and POST parameter on /login.php
- Enable Content Security Policy (CSP) violation reporting to surface unexpected inline script execution originating from the login page
- Correlate outbound browser telemetry with inbound HTTP request patterns to identify successful payload delivery
Monitoring Recommendations
- Alert on HTTP 200 responses to /login.php where the request contained script tags or JavaScript URI schemes
- Monitor authentication logs for anomalous login attempts immediately following suspicious /login.php requests, which may indicate credential capture
- Track user-agent and IP diversity submitting to the login endpoint to identify scripted probing
How to Mitigate CVE-2025-9595
Immediate Actions Required
- Restrict public exposure of the Student Information Management System until a patched build is available; place it behind a VPN or IP allowlist
- Deploy a web application firewall rule to block reflected XSS payloads targeting the uname parameter on /login.php
- Enforce a strict Content-Security-Policy header on the application that disallows inline scripts and untrusted script sources
Patch Information
No vendor advisory or official patch has been published at the time of writing. Organizations running this application should monitor the Code Projects resource for updates and apply source-level fixes that HTML-encode the uname parameter before rendering. Applying htmlspecialchars($_POST['uname'], ENT_QUOTES, 'UTF-8') when echoing the value back into HTML resolves the reflection.
Workarounds
- Modify login.php locally to HTML-encode the uname value before it is written into any response context
- Set HttpOnly and SameSite=Strict on session cookies to reduce the impact of successful script execution
- Add server-side input validation that rejects uname values containing characters outside a defined allowlist such as [A-Za-z0-9_.-]
# Example WAF rule (ModSecurity) to block reflected XSS on the uname parameter
SecRule ARGS:uname "@rx (?i)(<script|javascript:|onerror=|onload=|<img|<svg)" \
"id:1009595,phase:2,deny,status:403,log,\
msg:'CVE-2025-9595 XSS attempt on /login.php uname parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

