CVE-2025-7815
BaseFortify
Publication date: 2025-07-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | apartment_visitors_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing server-side input validation and output encoding for the 'visname' parameter to prevent injection of malicious scripts. Applying a Content Security Policy (CSP) to restrict script execution is also recommended. Using sanitization libraries to properly handle user input before storage and rendering can help prevent exploitation. If possible, replacing the affected product with a secure alternative is suggested, as no known countermeasures or patches are documented. [2, 3]
Can you explain this vulnerability to me?
CVE-2025-7815 is a Stored Cross-Site Scripting (XSS) vulnerability in PHPGurukul Apartment Visitors Management System version 1.0. It occurs because the 'visname' parameter, submitted via a POST request, is not properly sanitized or encoded before being stored and later rendered directly into the HTML content of /manage-newvisitors.php. This allows attackers to inject malicious JavaScript code that executes in the browsers of users who view the affected page, including administrators. [1, 3]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary JavaScript in the browsers of users who view the affected page. This can lead to theft of cookies or session tokens, Cross-Site Request Forgery (CSRF)-like session riding attacks, privilege escalation, exfiltration of sensitive data, or redirection to malicious websites. The integrity of the system can be compromised, although confidentiality and availability are not directly affected. Exploitation requires user interaction and authentication. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable endpoint /manage-newvisitors.php and testing the 'visname' parameter for stored cross-site scripting (XSS). One method is to submit a POST request with a test payload such as <script>alert(1)</script> in the 'visname' field to /avms/visitors-form.php and then verify if the script executes when viewing /manage-newvisitors.php. Additionally, Google dorking with queries like inurl:manage-newvisitors.php can help identify vulnerable targets. Example command using curl to test the vulnerability: curl -X POST -d "visname=<script>alert(1)</script>" https://targetsite.com/avms/visitors-form.php [2, 3]