CVE-2025-56276
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-09-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| carmelo | food_ordering_review_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross Site Scripting (XSS) issue in the registration function of the Food Ordering Review System 1.0. An attacker can input malicious JavaScript code as a username during registration. When the admin later views this user information, the malicious script executes, leading to the disclosure of the admin's cookie information.
How can this vulnerability impact me? :
The vulnerability can lead to the disclosure of sensitive admin cookie information, which could allow an attacker to hijack the admin's session. This compromises the security of the admin panel, potentially giving the attacker unauthorized control over the system, including user management and site settings.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the registration function for Cross Site Scripting (XSS) by attempting to input malicious JavaScript code as a username and then observing if the admin panel executes this code when viewing user information. Since the system runs on a local server (e.g., XAMPP) and uses a MySQL database, you can monitor HTTP requests to the registration endpoint for suspicious input patterns. Commands to detect this might include using curl or wget to submit test payloads, for example: curl -X POST -d "username=<script>alert(1)</script>&other_fields=values" http://localhost/food/registration_endpoint. Additionally, inspecting the admin panel's user management pages for unescaped input rendering can help detect the vulnerability. Network monitoring tools like Wireshark or Burp Suite can be used to capture and analyze traffic for malicious payloads. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs on the registration function to prevent malicious JavaScript code from being stored or executed. Implement proper output encoding/escaping when displaying user data in the admin panel to prevent XSS execution. Restrict admin panel access to trusted users and networks. Additionally, consider applying web application firewalls (WAF) rules to block common XSS payloads. Since the system runs on a local server setup (e.g., XAMPP), ensure the environment is secure and updated. Regularly review and update the code to handle input safely. [1]