CVE-2025-12228
BaseFortify
Publication date: 2025-10-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectworlds | expense_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12228 is a Persistent Cross-Site Scripting (XSS) vulnerability in the Expense Management System 1.0, specifically in the /public/admin/users/create file. An authenticated attacker can inject malicious scripts into the database via form fields like the 'Name' field on the Add Users page. These scripts then execute in the browsers of other users, including administrators, when they view the compromised pages. This happens due to improper input sanitization and lack of output encoding. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to hijack user sessions by stealing session cookies, perform unauthorized actions by impersonating victims (such as creating admin accounts or deleting passes), conduct phishing attacks by injecting fake login forms, log keystrokes, and deface website content. Essentially, it compromises user security and the integrity of the application. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the input fields on the /public/admin/users/create page, especially the "Name" field, for persistent cross-site scripting (XSS). You can try submitting a payload such as `<img src=x onerror=alert(document.cookie)>` and then observe if the script executes when the page is viewed. Additionally, scanning tools that detect XSS vulnerabilities or manual code review for missing output encoding (e.g., lack of htmlspecialchars() in PHP) can help identify the issue. There are no specific network commands provided, but testing the web application input fields with XSS payloads is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply proper output encoding on all user-controlled data before rendering it in HTML. Specifically, use PHP's `htmlspecialchars()` function with appropriate flags, for example: `echo htmlspecialchars($row['full_name'], ENT_QUOTES, 'UTF-8');`. This prevents injected scripts from being executed in users' browsers. Additionally, restrict access to the vulnerable page to authenticated and authorized users, and consider sanitizing inputs and reviewing user permissions to reduce risk. [1]