CVE-2025-56276
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-09-18

Assigner: MITRE

Description
code-projects Food Ordering Review System 1.0 is vulnerable to Cross Site Scripting (XSS) in the registration function. An attacker enters malicious JavaScript code as a username, which triggers the XSS vulnerability when the admin views user information, resulting in the disclosure of the admin's cookie information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-09-18
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-56276
EUVD
EUVD-2025-29623
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
carmelo food_ordering_review_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross Site Scripting (XSS) issue in the registration function of the Food Ordering Review System 1.0. An attacker can input malicious JavaScript code as a username during registration. When the admin later views this user information, the malicious script executes, leading to the disclosure of the admin's cookie information.

Impact Analysis

The vulnerability can lead to the disclosure of sensitive admin cookie information, which could allow an attacker to hijack the admin's session. This compromises the security of the admin panel, potentially giving the attacker unauthorized control over the system, including user management and site settings.

Detection Guidance

This vulnerability can be detected by testing the registration function for Cross Site Scripting (XSS) by attempting to input malicious JavaScript code as a username and then observing if the admin panel executes this code when viewing user information. Since the system runs on a local server (e.g., XAMPP) and uses a MySQL database, you can monitor HTTP requests to the registration endpoint for suspicious input patterns. Commands to detect this might include using curl or wget to submit test payloads, for example: curl -X POST -d "username=<script>alert(1)</script>&other_fields=values" http://localhost/food/registration_endpoint. Additionally, inspecting the admin panel's user management pages for unescaped input rendering can help detect the vulnerability. Network monitoring tools like Wireshark or Burp Suite can be used to capture and analyze traffic for malicious payloads. [1]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs on the registration function to prevent malicious JavaScript code from being stored or executed. Implement proper output encoding/escaping when displaying user data in the admin panel to prevent XSS execution. Restrict admin panel access to trusted users and networks. Additionally, consider applying web application firewalls (WAF) rules to block common XSS payloads. Since the system runs on a local server setup (e.g., XAMPP), ensure the environment is secure and updated. Regularly review and update the code to handle input safely. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart