Web Application Description

Hostel Management System v 2.1 is a full-featured PHP/MySQLi-based web application designed to manage student hostel accommodation, rooms, complaints, feedback and registrations. The system supports two modules: the Admin side and the User (student) side.

Vulnerability Description — Stored Cross-Site Scripting (CWE-79)

A stored Cross-Site Scripting (XSS) vulnerability exists in Hostel Management System v2.1 within the complaint submission functionality.

Affected Components

• Endpoint: /register-complaint.php (user module)
• Vulnerable Fields: Explain the Complaint
• Admin Viewer: /admin/complaint-details.php

Vulnerable Code

The application accepts user input from the "Explain the Complaint" textarea field without any sanitization or validation. The $complaintdetails variable directly captures raw POST data and stores it in the database

Attack Vector

Stored XSS — The cdetails textarea is stored in the database without input sanitization and later rendered into /admin/complaint-details.phpviews without output encoding, allowing an authenticated user's submitted XSS Payload to execute in any viewer's browser.

Fix: escape output (e.g., htmlspecialchars) and/or sanitize input.

Proof of Concept

This PoC demonstrates the stored XSS vulnerability in the complaint submission module, specifically targeting the administrative complaint review functionality.

/register-complaint.php

Craft your Payload on this Explain the Complain Feild

/admin/new-complaints.php

/admin/complaint-details.php?cid=11

References

• https://phpgurukul.com/hostel-management-system/
• https://nvd.nist.gov/vuln/detail/CVE-2025-63611