CVE-2025-7816
BaseFortify
Publication date: 2025-07-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | apartment_visitors_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7816 is a Stored Cross-Site Scripting (XSS) vulnerability in PHPGurukul Apartment Visitors Management System version 1.0. It occurs because the 'visname' parameter submitted via a POST request is not properly sanitized or encoded before being stored and later rendered directly into the HTML content of the visitor-detail.php page. This allows attackers to inject malicious JavaScript code that executes in the browsers of users who view the page, including administrators. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in the browsers of users viewing the affected page. Potential impacts include stealing cookies or session tokens, performing Cross-Site Request Forgery (CSRF)-like session riding attacks, escalating privileges if an administrator views the injected content, exfiltrating sensitive data, or redirecting users to malicious websites. [3, 2, 1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the PHPGurukul Apartment Visitors Management System version 1.0 is in use and if the 'visname' parameter in POST requests to /visitor-detail.php or /visitors-form.php is improperly sanitized. One detection method is to test the input field by submitting a payload such as <script>alert(1)</script> in the 'visname' parameter via a POST request and then checking if the script executes when the visitor-detail.php page is loaded. Additionally, vulnerable targets can be identified using Google dorking with queries like "inurl:visitor-detail.php" to find exposed instances. Network monitoring tools can capture POST requests to these endpoints to check for suspicious input. Example command using curl to test the vulnerability: curl -X POST -d "visname=<script>alert(1)</script>" http://target-site/visitors-form.php [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing server-side input validation and output encoding for the 'visname' parameter to prevent injection of malicious scripts. Applying a Content Security Policy (CSP) to restrict script execution can reduce impact. Using a sanitizer to properly handle user input before rendering is recommended. Since no known countermeasures or patches are documented, replacing the affected product with an alternative solution is suggested. Avoiding use of the vulnerable system until a fix is applied is prudent. [3, 2]