CVE-2025-10032
BaseFortify
Publication date: 2025-09-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | grocery_sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10032 is a cross-site scripting (XSS) vulnerability in the Campcodes Grocery Sales and Inventory System version 1.0. It occurs due to improper validation and output encoding of the 'page' parameter in the /index.php file. This flaw allows attackers to inject malicious scripts that execute in the victim's browser, enabling theft of sensitive information and unauthorized actions performed on behalf of the user. The attack can be executed remotely without authentication but requires some user interaction. [1, 2, 3, 4, 5]
How can this vulnerability impact me? :
This vulnerability can lead to theft of cookies, session tokens, and other sensitive information. Attackers can perform unauthorized actions on behalf of the victim, deface web pages, redirect users to malicious sites, and potentially gain full control over the victim's browser. Exploitation does not require authentication, making it easier for attackers to target users remotely. [1, 2, 3, 4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /index.php page parameter for cross-site scripting (XSS) by injecting typical XSS payloads such as <script>alert('xss')</script> into the 'page' parameter in URLs like /index.php?page=<payload>. Additionally, vulnerable targets can be identified using Google dorking with queries like "inurl:index.php" to find potentially affected instances. Manual testing or automated scanning tools that check for reflected XSS in the 'page' parameter can be used to detect the vulnerability. [4, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Properly encoding user inputs based on context (HTML, JavaScript, CSS, URL) to prevent execution of injected scripts; 2) Enforcing strict input validation and filtering to allow only expected formats and reject or escape malicious content such as script tags; 3) Implementing a strict Content Security Policy (CSP) to restrict script sources and prevent unauthorized script execution; 4) Setting HttpOnly and Secure flags on sensitive cookies to protect them from JavaScript access and ensure secure transmission; 5) Conducting regular security audits to detect and fix XSS and other vulnerabilities promptly. If possible, replacing the affected product with a secure alternative is recommended. [5, 4]