CVE-2025-7802
BaseFortify
Publication date: 2025-07-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | complaint_management_system | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7802 is a reflected Cross-Site Scripting (XSS) vulnerability in PHPGurukul Complaint Management System version 2.0, specifically in the /admin/complaint-search.php file. The vulnerability occurs because the application directly echoes user input from the "search" parameter without proper sanitization or encoding. This allows an attacker to inject malicious scripts that execute in the context of a victim's browser when they access the vulnerable search functionality. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in the context of the affected web application. Potential impacts include session hijacking, where attackers steal user session cookies; defacement of the web page; and other malicious actions such as redirecting users to malicious sites or stealing sensitive information. Exploitation requires user interaction but can be launched remotely by submitting crafted requests. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /admin/complaint-search.php endpoint for reflected Cross-Site Scripting (XSS) in the 'search' parameter. You can use curl or similar tools to send crafted POST requests containing JavaScript payloads to see if the input is reflected unsanitized. For example, use the command: curl -X POST -d "search=<script>alert('XSS')</script>" https://targetsite.com/admin/complaint-search.php and check if the response contains the injected script. Additionally, Google dorking with queries like inurl:admin/complaint-search.php can help identify vulnerable targets. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the /admin/complaint-search.php functionality to trusted users only, applying input validation and output encoding on the 'search' parameter to prevent script injection, and monitoring for suspicious activity. Since no known countermeasures or patches are published, replacing the affected component with an alternative product is recommended. Additionally, educating users to avoid clicking suspicious links and implementing Content Security Policy (CSP) headers can reduce impact. [3]