CVE-2025-11125
BaseFortify
Publication date: 2025-09-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langleyfcu | online_banking_system | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11125 is a cross-site scripting (XSS) vulnerability in the langleyfcu Online Banking System, specifically in the /connection_error.php file of the Error Message Handler component. It occurs because the 'error' argument is not properly sanitized before being displayed, allowing an attacker to inject malicious scripts. This can be exploited remotely without authentication but requires user interaction to trigger the malicious script. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious scripts into error messages shown to users. This can lead to compromised data integrity, such as executing unauthorized scripts in users' browsers, potentially stealing session information or performing actions on behalf of the user. Although it does not directly affect confidentiality or availability, it poses a risk to the integrity of user interactions with the system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /connection_error.php page for reflected cross-site scripting (XSS) via the 'error' URL parameter. One method is to append a crafted payload such as `?error=<script>alert("XSS")</script>` to the URL and observe if a JavaScript alert pop-up appears, indicating the presence of the XSS flaw. Additionally, Google dorking can be used to identify vulnerable targets by searching for "inurl:connection_error.php". No specific network commands are provided, but manual testing of the URL parameter with XSS payloads is effective. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been documented for this vulnerability. It is suggested to replace the affected component or product. Immediate steps include avoiding use of the vulnerable version and monitoring for updates or patches from the vendor. Additionally, applying input sanitization or filtering on the 'error' parameter to neutralize malicious scripts can help mitigate the risk until an official fix is available. [1]