CVE-2025-6778
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabian | food_distributor_site | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6778 is a Cross-Site Scripting (XSS) vulnerability in the Code-Projects Food Distributor System version 1.0. It exists in the /admin/save_settings.php file, specifically in the parameters site_phone, site_email, and address. An attacker can inject malicious scripts through these parameters, which are not properly neutralized before being included in web page output. This allows unauthorized script execution in the context of the affected web application, potentially compromising the security of the site. The attack can be launched remotely but requires authentication and user interaction. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized execution of malicious scripts within the affected web application, potentially allowing attackers to perform actions such as session hijacking, unauthorized administrative actions, or other malicious activities within the context of the site. Since the vulnerability affects administrative settings, it could compromise the integrity and security of the application. The attack is relatively easy to execute and can be performed remotely, increasing the risk to users and administrators. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable admin page using Google dorking with the query: inurl:admin/save_settings.php. Additionally, testing the parameters site_phone, site_email, and address in the /admin/save_settings.php script for cross-site scripting (XSS) payloads can help identify the vulnerability. There is a publicly available proof-of-concept exploit on GitHub that can be used for testing. Specific commands include using curl or wget to send crafted requests to these parameters and observing if the input is reflected without proper neutralization, indicating XSS. For example, a curl command to test site_phone might be: curl -X POST -d "site_phone=<script>alert(1)</script>" https://targetsite/admin/save_settings.php [4]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations are currently available for this vulnerability. The suggested immediate step is to replace the affected component (Code-Projects Food Distributor Site 1.0) with an alternative product that does not have this vulnerability. Additionally, restricting access to the /admin/save_settings.php page and monitoring for suspicious activity may help reduce risk until a fix or replacement is implemented. [4]