CVE-2025-12227
BaseFortify
Publication date: 2025-10-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectworlds | gate_pass_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Persistent Cross-Site Scripting (XSS) issue in the Gate Pass Management System 1.0, specifically in the add-pass.php file. It occurs because user inputs from form fields like "Full Name" and "Reason" are stored in the database without proper sanitization and later displayed on pages such as manage-passes.php and view-pass-detail.php without adequate encoding. An authenticated attacker can inject malicious JavaScript code that executes in other users' browsers when they view these pages, potentially exposing session cookies and enabling session hijacking. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to user accounts, impersonation of users, unauthorized actions such as creating admin accounts or deleting passes, phishing attacks, keystroke logging, and website defacement. It allows attackers to execute malicious scripts in the browsers of other users, potentially compromising sensitive information and control over the system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the input fields in add-pass.php, such as 'Full Name' and 'Reason', for persistent cross-site scripting (XSS). You can attempt to inject a simple JavaScript payload like `<img src=x onerror=alert(document.cookie)>` into these fields and then check if the payload executes when viewing pages like manage-passes.php or view-pass-detail.php. For automated detection, you can use web vulnerability scanners that test for stored XSS vulnerabilities on these input points. Additionally, manual inspection of the source code for missing output encoding (e.g., absence of htmlspecialchars() on user inputs) can help identify the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, apply proper output encoding on all user-supplied data before rendering it in HTML contexts. Specifically, replace vulnerable echo statements like `echo $row['full_name'];` with `echo htmlspecialchars($row['full_name'], ENT_QUOTES, 'UTF-8');` in affected files such as view-pass-detail.php, manage-passes.php, and edit-pass-detail.php. This prevents the browser from interpreting injected scripts. Additionally, ensure that user inputs are sanitized and validated before storing them in the database. [1]