CVE-2025-63611

Name of the Vulnerable Software and Affected Versions phpgurukul Hostel Management System version 2.1

Description The application stores user-provided complaint data, specifically the 'Explain the Complaint' field submitted through the /register-complaint.php endpoint, without proper output encoding. This allows for the injection of HTML and JavaScript code. When an administrator views complaint details via the /admin/complaint-details.php?cid=endpoint, the injected code executes in the administrator’s browser. Thecid` variable in the endpoint is used to identify the complaint.

Recommendations Apply appropriate output encoding or escaping mechanisms to the 'Explain the Complaint' field before storing and rendering it to prevent the execution of malicious scripts.