CVE-2025-10117
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in SourceCodester Simple To-Do List System 1.0. Impacted is an unknown function of the file /fetch_tasks.php of the component Add New Task. Executing manipulation with the input <script>alert('XSS')</script> can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-10117
EUVD
EUVD-2025-33988
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chuck24 simple_to-do_list_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10117 is a Stored Cross-Site Scripting (XSS) vulnerability in the SourceCodester Simple To-Do List System 1.0, specifically in the Add New Task component within the file /fetch_tasks.php. The application fails to properly sanitize and escape user input entered in the "Enter task..." field. An attacker can inject malicious JavaScript code (e.g., <script>alert('XSS')</script>) which is stored persistently in the database. When any user accesses the main page, the stored malicious script is rendered and executed by the browser, potentially allowing the attacker to steal session cookies, manipulate page content, redirect users to malicious sites, or perform unauthorized actions on behalf of users. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your browser session when you visit the affected application. This can lead to theft of session cookies, unauthorized actions performed on your behalf, manipulation of the webpage content you see, or redirection to malicious websites. Essentially, it compromises the integrity and security of your interaction with the application and can lead to account compromise or data theft. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to inject a test script such as <script>alert('XSS')</script> into the 'Enter task...' input field of the Add New Task component and then observing if the script executes when the tasks are fetched and rendered on the main page. Additionally, attackers can locate vulnerable targets using Google dorking with queries like "inurl:fetch_tasks.php" to find instances of the vulnerable application. There are no specific network commands provided, but manual testing by inputting the script and checking for execution in the browser is effective. [1, 3]

Mitigation Strategies

Immediate mitigation steps include implementing rigorous server-side validation and proper output encoding of user input. Specifically, the PHP code in /fetch_tasks.php should use functions like htmlspecialchars() to escape user-supplied data before rendering it in HTML, converting characters such as < and > into safe entities to prevent script execution. If a patch or update is available, apply it promptly. If not, consider replacing the affected product with an alternative solution to avoid exploitation. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart