CVE-2025-56018
BaseFortify
Publication date: 2025-09-30
Last updated on: 2026-04-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| senior-walter | web-based_pharmacy_product_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-56018 is a Stored Cross-Site Scripting (XSS) vulnerability in the SourceCodester Web-based Pharmacy Product Management System version 1.0. It occurs in the Category Management module, specifically in the Category Name input field, which does not properly sanitize or encode user input. This allows an attacker to inject malicious JavaScript code that is stored by the application and executed whenever any user views the affected category list page. [1]
How can this vulnerability impact me? :
This vulnerability can have a high impact as it allows arbitrary JavaScript execution in users' browsers. Potential consequences include theft of session cookies, unauthorized actions such as adding or deleting categories and data manipulation, defacement of the application, redirection to malicious websites, and possibly full application takeover if an administrator's session is compromised. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a test script payload such as `<script>alert('XSS by Security Researcher')</script>` into the Category Name field in the Category Management module of the SourceCodester Web-based Pharmacy Product Management System v1.0. If the script executes when viewing the category list page, the system is vulnerable. There are no specific network commands provided, but manual testing via the web interface or automated web vulnerability scanners targeting stored XSS in input fields can be used. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and sanitization on both client and server sides, such as restricting category names to alphanumeric characters. Apply proper output encoding techniques like PHP's htmlspecialchars() before rendering user data. Deploy Content Security Policy (CSP) headers to limit script injection risks. Additionally, use frameworks or templating engines that automatically escape output. Applying patches or updates that address this vulnerability is strongly recommended. [1]