CVE-2025-10117
BaseFortify
Publication date: 2025-09-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chuck24 | simple_to-do_list_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10117 is a Stored Cross-Site Scripting (XSS) vulnerability in the SourceCodester Simple To-Do List System 1.0, specifically in the Add New Task component within the file /fetch_tasks.php. The application fails to properly sanitize and escape user input entered in the "Enter task..." field. An attacker can inject malicious JavaScript code (e.g., <script>alert('XSS')</script>) which is stored persistently in the database. When any user accesses the main page, the stored malicious script is rendered and executed by the browser, potentially allowing the attacker to steal session cookies, manipulate page content, redirect users to malicious sites, or perform unauthorized actions on behalf of users. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your browser session when you visit the affected application. This can lead to theft of session cookies, unauthorized actions performed on your behalf, manipulation of the webpage content you see, or redirection to malicious websites. Essentially, it compromises the integrity and security of your interaction with the application and can lead to account compromise or data theft. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a test script such as <script>alert('XSS')</script> into the 'Enter task...' input field of the Add New Task component and then observing if the script executes when the tasks are fetched and rendered on the main page. Additionally, attackers can locate vulnerable targets using Google dorking with queries like "inurl:fetch_tasks.php" to find instances of the vulnerable application. There are no specific network commands provided, but manual testing by inputting the script and checking for execution in the browser is effective. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing rigorous server-side validation and proper output encoding of user input. Specifically, the PHP code in /fetch_tasks.php should use functions like htmlspecialchars() to escape user-supplied data before rendering it in HTML, converting characters such as < and > into safe entities to prevent script execution. If a patch or update is available, apply it promptly. If not, consider replacing the affected product with an alternative solution to avoid exploitation. [1, 3]