CVE-2025-12228
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in projectworlds Expense Management System 1.0. The impacted element is an unknown function of the file /public/admin/users/create of the component Users Page. The manipulation leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12228
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectworlds expense_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-12228 is a Persistent Cross-Site Scripting (XSS) vulnerability in the Expense Management System 1.0, specifically in the /public/admin/users/create file. An authenticated attacker can inject malicious scripts into the database via form fields like the 'Name' field on the Add Users page. These scripts then execute in the browsers of other users, including administrators, when they view the compromised pages. This happens due to improper input sanitization and lack of output encoding. [1]

Impact Analysis

This vulnerability can allow attackers to hijack user sessions by stealing session cookies, perform unauthorized actions by impersonating victims (such as creating admin accounts or deleting passes), conduct phishing attacks by injecting fake login forms, log keystrokes, and deface website content. Essentially, it compromises user security and the integrity of the application. [1]

Detection Guidance

This vulnerability can be detected by testing the input fields on the /public/admin/users/create page, especially the "Name" field, for persistent cross-site scripting (XSS). You can try submitting a payload such as `<img src=x onerror=alert(document.cookie)>` and then observe if the script executes when the page is viewed. Additionally, scanning tools that detect XSS vulnerabilities or manual code review for missing output encoding (e.g., lack of htmlspecialchars() in PHP) can help identify the issue. There are no specific network commands provided, but testing the web application input fields with XSS payloads is recommended. [1]

Mitigation Strategies

The immediate mitigation step is to apply proper output encoding on all user-controlled data before rendering it in HTML. Specifically, use PHP's `htmlspecialchars()` function with appropriate flags, for example: `echo htmlspecialchars($row['full_name'], ENT_QUOTES, 'UTF-8');`. This prevents injected scripts from being executed in users' browsers. Additionally, restrict access to the vulnerable page to authenticated and authorized users, and consider sanitizing inputs and reviewing user permissions to reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart