CVE-2025-5757
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| carmelo | traffic_offense_reporting_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5757 is a Stored Cross-Site Scripting (XSS) vulnerability in version 1.0 of the Traffic Offense Reporting System by code-projects. It occurs because multiple user-supplied input parameters (offence_id, vehicle_no, driver_license, name, address, gender, officer_reporting, offence) are not properly validated or sanitized before being stored and later displayed on front-end pages. This allows attackers to inject malicious JavaScript code that is stored in the system and executed in other users' browsers when they view the affected pages, leading to persistent XSS attacks. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in your users' browsers. This can lead to session hijacking, theft of sensitive information such as cookies, website defacement, distribution of client-side malware, and full user compromise. It affects data confidentiality, system integrity, and can damage organizational trust. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the /save-reported.php endpoint accepts user input parameters such as offence_id, vehicle_no, driver_license, name, address, gender, officer_reporting, and offence without proper sanitization, and if these inputs are stored and later rendered without encoding, leading to stored XSS. One way to detect vulnerable targets is by using Google dorking with queries like 'inurl:save-reported.php'. Additionally, testing can be done by sending POST requests with malicious JavaScript payloads (e.g., <script>alert(1)</script>) in these parameters and observing if the script executes when viewing related pages such as view-offence.php or offence-detail.php. Example command using curl to test injection: curl -X POST -d "offence_id=<script>alert(1)</script>&vehicle_no=test" https://targetsite/save-reported.php [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate this vulnerability include implementing proper input validation and sanitization on all user-supplied parameters (offence_id, vehicle_no, driver_license, name, address, gender, officer_reporting, offence) before storing them. Additionally, apply output encoding or escaping when rendering these values on web pages to prevent execution of injected scripts. If possible, replace the affected software with an alternative product. Until a patch is available, restrict access to the vulnerable endpoints and monitor for suspicious activity. [1, 2, 3]