CVE-2025-11663
BaseFortify
Publication date: 2025-10-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | online_beauty_parlor_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11663 is a vulnerability in the Campcodes Online Beauty Parlor Management System 1.0, specifically in the /admin/manage-services.php file. It involves manipulation of the 'sername' parameter, which leads to a SQL injection vulnerability that can be exploited remotely. Additionally, Resource 1 describes it as a cross-site scripting (XSS) vulnerability where user input is not properly validated or encoded, allowing attackers to inject malicious JavaScript code that executes in victims' browsers. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions such as stealing cookies, session tokens, or other sensitive information, defacing web pages, redirecting users to malicious sites, and potentially gaining control over the victim's browser. Since the attack can be initiated remotely and requires no authentication, it poses a significant risk to user data and system integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'sername' parameter in the /admin/manage-services.php page for injection of malicious scripts such as <script>alert('XSS')</script>. You can use tools like curl or browser-based testing to inject payloads and observe if they are executed or reflected without proper encoding. For example, using curl: curl -G --data-urlencode "sername=<script>alert('XSS')</script>" http://target/admin/manage-services.php and checking the response for unencoded script tags. Additionally, web vulnerability scanners that test for reflected XSS can be used to automate detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement output encoding on all user inputs when rendering them on web pages, applying context-specific encoding to prevent script execution. 2) Enforce strict input validation and filtering on the 'sername' parameter to allow only expected formats and reject malicious content such as script tags. 3) Implement a strict Content Security Policy (CSP) to restrict allowable script sources and block unauthorized scripts. 4) Set HttpOnly and Secure flags on cookies to prevent JavaScript access and ensure secure transmission. 5) Conduct regular security audits to detect and address vulnerabilities promptly. [1]