CVE-2025-10075
BaseFortify
Publication date: 2025-09-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| razormist | online_polling_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) flaw in the SourceCodester Online Polling System version 1.0, specifically in the /manage-profile.php file's 'firstname' parameter. Due to insufficient input validation and sanitization, an attacker can inject malicious JavaScript code into the 'firstname' field. This malicious script is stored on the server and executes in the browsers of other users who view the affected profile, potentially compromising their security and privacy. [1, 2]
How can this vulnerability impact me? :
The vulnerability allows remote attackers to inject and execute malicious scripts in other users' browsers when they view the compromised profile. This can lead to security and privacy issues such as session hijacking, defacement, or theft of sensitive information. Exploitation is easy and requires some user interaction. The impact is limited to integrity and user interaction, with no direct confidentiality or availability impact reported. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'firstname' parameter in the /manage-profile.php page for cross-site scripting (XSS) by injecting a script payload such as `<script>alert('XSS')</script>`. If the alert triggers upon viewing or refreshing the profile, the system is vulnerable. Additionally, vulnerable targets can be identified using Google dorking with the query `inurl:manage-profile.php` to find instances of the affected page. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been documented for this vulnerability. It is suggested to replace the affected product with an alternative. Immediate steps include avoiding use of the vulnerable version and monitoring for any suspicious activity related to the exploit. [2]