CVE-2025-11112
BaseFortify
Publication date: 2025-09-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | employee_record_management_system | 1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /myprofile.php page for improper sanitization of the "First name" parameter. One approach is to inject a simple XSS payload such as <script>alert('XSS')</script> into the "First name" field and observe if the script executes when the page is viewed. Additionally, attackers can locate vulnerable targets using Google dorking with queries like "inurl:myprofile.php". There are no specific commands provided, but manual testing or automated web vulnerability scanners targeting reflected or stored XSS in the "First name" parameter can be used. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing context-aware output encoding to escape special HTML characters such as <, >, ", ', and & in the "First name" parameter before rendering it in the browser. Deploying a strict Content Security Policy (CSP) to restrict script execution to trusted sources is also recommended as a defense-in-depth measure. Additionally, enforce rigorous input validation to reject any embedded HTML or script tags in user inputs. If possible, consider replacing the affected product with an alternative solution as no known countermeasures are documented. [2, 1]
How can this vulnerability impact me? :
This vulnerability can lead to theft of sensitive information such as cookies and session tokens, enabling session hijacking. It can also cause website defacement, phishing attacks, and redirection to malicious sites. Overall, it severely compromises user account security and data privacy by allowing attackers to execute arbitrary scripts in the context of other users' browsers. [2, 3]
Can you explain this vulnerability to me?
CVE-2025-11112 is a cross-site scripting (XSS) vulnerability in PHPGurukul Employee Record Management System version 1.3, specifically in the /myprofile.php file. It occurs because the "First name" parameter does not properly sanitize or encode user input, allowing attackers to inject malicious scripts that execute in other users' browsers. This can be exploited remotely without authentication by submitting malicious JavaScript code in the "First name" field, which then runs when viewed by others. [1, 2, 3]