CVE-2025-10794
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in PHPGurukul Car Rental Project 3.0. Affected by this issue is some unknown functionality of the file /carrental/search.php. Executing manipulation of the argument autofocus can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-09-22
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10794
EUVD
EUVD-2025-30784
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul car_rental_project 3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Cross-Site Scripting (XSS) flaw in the PHPGurukul Car Rental Project 3.0, specifically in the /carrental/search.php file. It occurs because the 'autofocus' parameter is not properly sanitized or encoded before being included in the HTML response. This allows an attacker to inject malicious JavaScript code that executes in the victim's browser, potentially affecting both unauthenticated and authenticated users. [1]


How can this vulnerability impact me? :

Exploitation of this vulnerability can lead to session hijacking, cookie theft, webpage defacement, phishing attacks, or arbitrary script execution. This means attackers can steal sensitive information, impersonate users, or manipulate the website's content, which can compromise user security and trust. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the /carrental/search.php endpoint for improper sanitization of the autofocus parameter. A common method is to send a POST request with a payload such as `<a autofocus onfocus=alert(1) href></a>` embedded in the searchdata parameter and observe if the script executes. For example, you can use curl to test this: `curl -X POST -d "searchdata=<a autofocus onfocus=alert(1) href></a>" http://target-site/carrental/search.php` and check if the alert is triggered or if the response contains unencoded script tags. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing proper output encoding by converting special characters (e.g., `<` to `&lt;`, `>` to `&gt;`, `"` to `&quot;`) before rendering user input in HTML. Additionally, enforce a strict Content Security Policy (CSP) header to limit executable script sources, apply strict input validation using allowlists to restrict input formats and disallow special characters, and utilize secure coding frameworks that provide built-in XSS protection mechanisms. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart