CVE-2025-57205

Name of the Vulnerable Software and Affected Versions iNiLabs School Express (SMS Express) version 6.2

Description iNiLabs School Express (SMS Express) 6.2 is susceptible to a Stored Cross-Site Scripting (XSS) issue within its content-management features, accessible to authenticated administrator users. The issue is present in parameters submitted via POST requests to the /posts/edit/{id} endpoint, and similar editors for Notices and Pages. Insufficient input sanitization and output encoding allow attackers to inject HTML/JS payloads. These payloads are saved and subsequently rendered without proper sanitization, leading to JavaScript execution in other users' browsers when they access the affected content. An authenticated attacker can execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application lacks a restrictive Content Security Policy (CSP) or adequate filtering mechanisms to prevent these attacks.

Recommendations Update to a newer version that contains a fix for this vulnerability.