Phpgurukul Hostel Management System vulnerabilities

CVE-2025-63611 [HIGH] CWE-79 CVE-2025-63611: Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Exp Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=). When an administrator opens the complaint, injected HTML/JavaScript executes in the admin's browser.

CVE-2025-13577 [MEDIUM] CWE-79 CVE-2025-13577: A flaw has been found in PHPGurukul Hostel Management System 2.1. The impacted element is an unknown A flaw has been found in PHPGurukul Hostel Management System 2.1. The impacted element is an unknown function of the file /register-complaint.php. Executing a manipulation of the argument cdetails can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.

CVE-2025-28129 [MEDIUM] CWE-1021 CVE-2025-28129: Phpgurukul Hostel Management System 2.1 is vulnerable to clickjacking. Phpgurukul Hostel Management System 2.1 is vulnerable to clickjacking.

CVE-2025-6154 [MEDIUM] CWE-74 CVE-2025-6154: A vulnerability was found in PHPGurukul Hostel Management System 1.0 and classified as critical. Thi A vulnerability was found in PHPGurukul Hostel Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /includes/login.inc.php. The manipulation of the argument student_roll_no leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-6153 [MEDIUM] CWE-74 CVE-2025-6153: A vulnerability has been found in PHPGurukul Hostel Management System 1.0 and classified as critical A vulnerability has been found in PHPGurukul Hostel Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/students.php. The manipulation of the argument search_box leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-6155 [MEDIUM] CWE-74 CVE-2025-6155: A vulnerability was found in PHPGurukul Hostel Management System 1.0. It has been classified as crit A vulnerability was found in PHPGurukul Hostel Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /includes/login-hm.inc.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-45953 [CRITICAL] CWE-384 CVE-2025-45953: A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password. A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely

CVE-2023-36375 [MEDIUM] CWE-79 CVE-2023-36375: Cross Site Scripting vulnerability in Hostel Management System v2.1 allows an attacker to execute ar Cross Site Scripting vulnerability in Hostel Management System v2.1 allows an attacker to execute arbitrary code via a crafted payload to the Guardian name, Guardian relation, complimentary address, city, permanent address, and city parameters in the Book Hostel & Room Details page.

CVE-2023-36376 [MEDIUM] CWE-79 CVE-2023-36376: Cross-Site Scripting (XSS) vulnerability in Hostel Management System v.2.1 allows attackers to execu Cross-Site Scripting (XSS) vulnerability in Hostel Management System v.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the add course section.

CVE-2023-36939 [MEDIUM] CWE-79 CVE-2023-36939: Cross-Site Scripting (XSS) vulnerability in Hostel Management System v2.1 allows an attacker to exec Cross-Site Scripting (XSS) vulnerability in Hostel Management System v2.1 allows an attacker to execute arbitrary code via a crafted payload to the search booking field.

CVE-2023-34652 [MEDIUM] CWE-79 CVE-2023-34652: PHPgurukl Hostel Management System v.1.0 is vulnerable to Cross Site Scripting (XSS) via Add New Cou PHPgurukl Hostel Management System v.1.0 is vulnerable to Cross Site Scripting (XSS) via Add New Course.

CVE-2023-34647 [MEDIUM] CWE-79 CVE-2023-34647: PHPgurukl Hostel Management System v.1.0 is vulnerable to Cross Site Scripting (XSS). PHPgurukl Hostel Management System v.1.0 is vulnerable to Cross Site Scripting (XSS).

CVE-2021-43137 [HIGH] CWE-79 CVE-2021-43137: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel manag Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel management system 2.1 via the name field in my-profile.php. Chaining to this both vulnerabilities leads to account takeover.

CVE-2020-25270 [MEDIUM] CWE-79 CVE-2020-25270: PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Co PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, or City.

CVE-2020-5510 [CRITICAL] CWE-89 CVE-2020-5510: PHPGurukul Hostel Management System v2.0 allows SQL injection via the id parameter in the full-profi PHPGurukul Hostel Management System v2.0 allows SQL injection via the id parameter in the full-profile.php file.