CVE-2025-9922
BaseFortify
Publication date: 2025-09-03
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | sales_and_inventory_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9922 is a cross-site scripting (XSS) vulnerability in Campcodes Sales and Inventory System version 1.0, specifically in the /index.php file. It occurs because the application improperly handles user input in the 'page' parameter, allowing attackers to inject malicious scripts. These scripts execute in the browsers of other users who view the affected page, potentially compromising data integrity. The vulnerability can be exploited remotely without authentication and is publicly disclosed with proof-of-concept exploits available. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users visiting the affected system. This can lead to theft of cookies, session tokens, or other sensitive information, unauthorized actions performed on behalf of the victim, defacement of web pages, redirection to malicious sites, and potentially gaining control over the victim's browser. Exploitation requires no authentication and can be triggered simply by a user interacting with a maliciously crafted URL. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'page' parameter in the /index.php file for cross-site scripting (XSS) by injecting typical XSS payloads such as <script>alert('XSS')</script>. For example, you can use curl or a browser to request URLs like http://yourserver/index.php?page=<script>alert('XSS')</script> and observe if the script executes. Additionally, Google dorking with queries such as inurl:index.php can help identify vulnerable instances. Monitoring web server logs for suspicious requests containing script tags in the 'page' parameter can also aid detection. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement proper output encoding of user inputs based on context (HTML, JavaScript, CSS, URL) to prevent execution of injected scripts. 2) Apply strict input validation and filtering to sanitize the 'page' parameter, allowing only expected values and rejecting or escaping malicious content such as script tags. 3) Deploy a strict Content Security Policy (CSP) to restrict sources of executable scripts and prevent unauthorized script execution. 4) Set secure cookie flags such as HttpOnly and Secure to protect cookies from theft via JavaScript and ensure transmission over HTTPS. 5) Conduct regular security audits and code reviews to detect and fix XSS and other vulnerabilities promptly. If possible, consider replacing the affected product with a secure alternative. [2, 3]