CVE-2025-5661
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-05

Last updated on: 2025-11-13

Assigner: VulDB

Description
A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part of the file /save-settings.php of the component Setting Handler. The manipulation of the argument site_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-05
Last Modified
2025-11-13
Generated
2026-05-07
AI Q&A
2025-06-05
EPSS Evaluated
2026-05-05
NVD
CVE-2025-5661
EUVD
EUVD-2025-17000
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
carmelo traffic_offense_reporting_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-5661 is a Stored Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Traffic Offense Reporting System. It occurs because the application does not properly validate or sanitize user input in the 'site_name' parameter within the /save-settings.php file. Malicious JavaScript code submitted via this parameter is stored in the system and later executed in users' browsers when they visit affected pages, allowing attackers to run persistent XSS attacks. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can lead to session hijacking, theft of sensitive data such as cookies, website defacement, distribution of client-side malware, and full user compromise. It impacts data confidentiality, system integrity, and organizational trust by allowing attackers to execute malicious scripts in users' browsers. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the 'site_name' parameter in the /save-settings.php file is vulnerable to stored XSS. One method is to send a POST request with a test payload (e.g., <script>alert(1)</script>) in the 'site_name' parameter and then verify if the script executes when loading pages like login.php, sidebar.php, or site-settings.php. Additionally, vulnerable targets can be identified using Google dorking with the query: inurl:save-settings.php. [1, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate steps to mitigate this vulnerability include sanitizing and validating all user inputs to the 'site_name' parameter and properly encoding outputs before rendering them on web pages. Applying input validation and output encoding will prevent malicious scripts from being stored and executed. If possible, consider replacing the vulnerable software with an alternative that does not have this issue. [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart