CVE-2025-9754
BaseFortify
Publication date: 2025-09-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | online_hospital_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9754 is a Cross-Site Scripting (XSS) vulnerability in the Campcodes Online Hospital Management System version 1.0, specifically in the Edit Profile page (/edit-profile.php). The vulnerability occurs because the username field does not properly validate or sanitize user input, allowing attackers to inject malicious scripts. These scripts can then be executed in the context of other users viewing the page, potentially stealing session tokens, performing unauthorized actions, or compromising user accounts. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in your browser when you view the affected page. This can lead to theft of session tokens, unauthorized actions on your behalf, or compromise of your user account. The attack can be launched remotely and requires some user interaction. It affects the integrity of the system and can be exploited without local access. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable Edit Profile page (/edit-profile.php) in the Campcodes Online Hospital Management System version 1.0. One method is to use Google Dorking with queries such as "inurl:edit-profile.php" to identify potentially vulnerable targets. Additionally, manual testing or automated scanning tools can be used to inject scripts into the username parameter to verify if input is properly sanitized. Specific commands are not provided, but using web vulnerability scanners or curl commands to test the username parameter for script injection could be effective. [2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been identified for this vulnerability. It is suggested to consider replacing the affected component or product. Immediate steps include restricting access to the vulnerable page, monitoring for suspicious activity, and applying any available updates or patches from the vendor if released. Since the vulnerability allows remote exploitation, minimizing exposure and user interaction with the vulnerable page is advisable. [2]