CVE-2025-45406
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-25

Last updated on: 2025-07-29

Assigner: MITRE

Description
A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. NOTE: this is disputed by the Supplier because attackers cannot influence the value of debugbar_time, and because debugbar-related data is automatically escaped by the CodeIgniter Parser class.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-25
Last Modified
2025-07-29
Generated
2026-05-07
AI Q&A
2025-07-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-45406
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
sourcecodester laundry_booking_management_system 1.0
atlassian jira 5.5.4
codeigniter codeigniter4 4.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-45406 is a stored cross-site scripting (XSS) vulnerability in CodeIgniter4 version 4.6.0. It occurs because the debug toolbar improperly handles the debugbar_time parameter by directly using it to create a filename and then echoing the file contents back to the browser without sanitization. An attacker can inject malicious JavaScript code via this parameter, which gets stored on the server and later executed in the browser of an admin or developer who accesses the debug toolbar, leading to persistent XSS. [3]


How can this vulnerability impact me? :

This vulnerability can lead to execution of arbitrary JavaScript in the context of privileged users such as admins or developers. This can result in session hijacking, credential theft, or full account takeover of those users. Since the malicious script is stored persistently on the server, it can repeatedly affect users who access the debug toolbar with the crafted parameter. The vulnerability can be exploited remotely without authentication if the debug endpoint is exposed. [3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the debug endpoint of CodeIgniter4 is accessible and if the debugbar_time parameter is vulnerable to injection. You can test this by sending a crafted HTTP request to the debug endpoint with a script payload in the debugbar_time parameter, for example: curl "http://target.com/debug?debugbar_time=<script>alert('XSS')</script>" Then check if a file named debugbar_<script>alert('XSS')</script>.json is created on the server or if the response contains the injected script. Monitoring web server logs for requests containing suspicious debugbar_time parameter values can also help detect exploitation attempts. [3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: - Restrict access to the debug toolbar endpoint, ensuring it is disabled or inaccessible in production environments. - Sanitize and validate all user inputs, especially the debugbar_time parameter, to prevent injection of malicious scripts. - Escape all output rendered in the browser from debug files to prevent execution of injected scripts. - Remove any existing debugbar_*.json files that may contain malicious payloads. Implementing these steps will reduce the risk of exploitation until a patch or update is applied. [3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart