CVE-2025-7818
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /category.php of the component HTTP POST Request Handler. The manipulation of the argument categoryname leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-19
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-07-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-7818
EUVD
EUVD-2025-21958
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul apartment_visitors_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-7818 is a Stored Cross-Site Scripting (XSS) vulnerability in PHPGurukul Apartment Visitors Management System version 1.0. It occurs because the "categoryname" parameter submitted via a POST request to /category.php is not properly sanitized or encoded before being stored and rendered in the HTML content. This allows attackers to inject malicious JavaScript code that executes in the browsers of users who view the affected page, including administrators. [1, 3]


How can this vulnerability impact me? :

This vulnerability allows attackers to execute arbitrary JavaScript in the browsers of users who visit the affected page. Potential impacts include theft of cookies or session tokens, Cross-Site Request Forgery (CSRF)-like session riding attacks, privilege escalation, exfiltration of sensitive data, and redirection to malicious websites. The attack can be launched remotely and requires user interaction. [1, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the /category.php endpoint for improper sanitization of the 'categoryname' POST parameter. One approach is to send a crafted POST request with a payload such as <script>alert(1)</script> in the 'categoryname' field and observe if the script executes when the page is loaded. Additionally, Google dorking can be used to identify vulnerable targets by searching for "inurl:category.php". Example command using curl to test the vulnerability: curl -X POST -d "categoryname=<script>alert(1)</script>" http://targetsite/category.php [2, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing server-side output encoding and input validation on the 'categoryname' parameter to prevent injection of malicious scripts. Applying a Content Security Policy (CSP) to restrict script execution can also help reduce impact. Using sanitization libraries to properly handle user input before rendering is recommended. If possible, replacing or updating the affected component or product is suggested as no known mitigations are documented. [3, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart