CVE-2022-29359

MEDIUM

School Club Application System 0.1 - Stored Cross-Site Scripting via Firstname Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-29359. PoCs published by ZSECURE.

AI-analyzed exploit summary This PoC demonstrates an unauthenticated stored XSS vulnerability in School Club Application System, leading to session cookie theft and subsequent HTML injection for RCE. The exploit chain involves injecting malicious JavaScript via the application form and leveraging stolen admin cookies to inject PHP code.

Description

A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.

Exploits (1)

nomisec WORKING POC
by ZSECURE · poc
https://github.com/ZSECURE/CVE-2022-29359

This PoC demonstrates an unauthenticated stored XSS vulnerability in School Club Application System, leading to session cookie theft and subsequent HTML injection for RCE. The exploit chain involves injecting malicious JavaScript via the application form and leveraging stolen admin cookies to inject PHP code.

Classification
Working Poc 95%
Attack Type
Xss | Rce
Complexity
Moderate
Reliability
Reliable
Target: School Club Application System (SCAS - PHP)
No auth needed
Prerequisites: Access to the application form page · Admin or Club Admin must view the malicious application
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0110
EPSS Percentile 61.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
school_club_application_system_project/school_club_application_system 1.0
Published May 25, 2022
Tracked Since Feb 18, 2026