CVE-2025-10827
BaseFortify
Publication date: 2025-09-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpjabbers | restaurant_menu_maker | 1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10827 is a Cross-Site Scripting (XSS) vulnerability in PHPJabbers Restaurant Menu Maker version 1.1, specifically in the /preview.php file. The vulnerability arises because the 'theme' parameter is not properly sanitized or encoded before being included in the web page output. This allows attackers to inject malicious JavaScript code via crafted URLs, which executes in the victim's browser when they access the compromised page. The attack can be performed remotely without authentication but requires user interaction to trigger the malicious script. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to execution of arbitrary scripts in the context of the victim's browser, which may result in session hijacking, unauthorized actions performed on behalf of authenticated users, webpage defacement, and redirection to malicious websites. These impacts pose significant risks to user privacy and system security. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /preview.php endpoint with the 'theme' parameter for reflected cross-site scripting (XSS). You can try sending HTTP GET requests with payloads such as `'><script>alert(1)</script>` in the 'theme' parameter and observe if the script executes or is reflected unsanitized in the response. Additionally, Google dorking with queries like `inurl:preview.php` can help identify vulnerable instances. Example command using curl: `curl -i 'http://targetsite/preview.php?theme=%27%3E%3Cscript%3Ealert(1)%3C/script%3E'` and then check the response for the injected script. Monitoring web traffic for suspicious requests containing script tags in the 'theme' parameter can also help detect exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper output encoding for the 'theme' parameter using context-specific encoding (HTML, JavaScript, URL) to prevent script injection. Enforce a strict Content Security Policy (CSP) to restrict executable script sources. Validate and sanitize all user inputs with whitelisting to reject or sanitize HTML/JavaScript markup. Use secure, up-to-date web frameworks that provide built-in XSS protections. Additionally, set HTTP-only and Secure flags on sensitive cookies to prevent JavaScript access and ensure secure transmission. If possible, replace the affected software with an alternative product as no known countermeasures are documented. [2, 3]