CVE-2025-7144
BaseFortify
Publication date: 2025-07-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mayurik | best_salon_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7144 is a cross-site scripting (XSS) vulnerability in the Best Salon Management System version 1.0, specifically in the Admin Profile Page (/panel/admin-profile.php). It occurs due to improper handling of the 'Admin Name' argument, allowing an authenticated attacker to inject malicious scripts. This injection happens because input is not properly neutralized before being output to web pages, enabling attackers with valid credentials to execute scripts that can compromise system functionality. Exploitation requires authentication and user interaction. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated attacker to inject malicious scripts into the admin profile page, potentially compromising the integrity of the system. While it does not affect confidentiality or availability, it can lead to unauthorized script execution that may manipulate or alter data displayed to users. The attack requires authentication and user interaction, and the exploit is publicly known and easy to perform. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying instances of the vulnerable admin profile page, specifically the URL path /panel/admin-profile.php. One suggested method is using Google dorking with the query inurl:panel/admin-profile.php to find potentially affected systems. Since the vulnerability involves manipulation of the "Admin Name" argument leading to cross-site scripting, testing for XSS payload injection in this parameter while authenticated can help detect it. No specific network commands are provided, but web application scanning tools or manual testing with XSS payloads on the Admin Name field after authentication can be used. [2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been documented for this vulnerability. The advisory suggests replacing the affected product with an alternative solution as an immediate mitigation step. Additionally, restricting access to the admin profile page and ensuring only trusted authenticated users have access may reduce risk. Applying input validation and output encoding on the Admin Name parameter could help, but no official patches or fixes are mentioned. [2]