CVE-2025-7819
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-19

Last updated on: 2025-07-29

Assigner: VulDB

Description
A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /create-pass.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. It is possible to initiate the attack remotely.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-19
Last Modified
2025-07-29
Generated
2026-05-07
AI Q&A
2025-07-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-7819
EUVD
EUVD-2025-21957
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul apartment_visitors_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-7819 is a Stored Cross-Site Scripting (XSS) vulnerability in PHPGurukul Apartment Visitors Management System 1.0. It occurs because the 'visname' parameter submitted via a POST request to /create-pass.php is not properly sanitized or encoded. The input is stored and later rendered directly into the HTML content on the /manage-passes.php page without escaping or filtering. This allows attackers to inject malicious JavaScript code that executes in the browsers of users who view the page. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability allows attackers to execute arbitrary JavaScript in the browsers of users who view the affected page, including administrators. Potential impacts include theft of cookies or session tokens, Cross-Site Request Forgery (CSRF)-like session riding attacks, privilege escalation, exfiltration of sensitive data, redirection to malicious websites, session hijacking, and defacement. The attack can be initiated remotely and requires some user interaction. [1, 2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the 'visname' parameter in a POST request to /avms/create-pass.php for improper sanitization and output encoding. A practical detection method is to submit a payload such as <script>alert(1)</script> in the 'visname' field and observe if the script executes when viewing the /manage-passes.php page. Additionally, vulnerable targets can be identified using Google dorking with queries like 'inurl:create-pass.php'. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing server-side input validation and output encoding for the 'visname' parameter to prevent script injection. Applying a Content Security Policy (CSP) to restrict script execution is also recommended. If possible, sanitize user inputs before storing and rendering them. Due to the lack of documented countermeasures, consider replacing the affected component with an alternative product until a patch or fix is available. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart