CVE-2025-12229
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in projectworlds Expense Management System 1.0. This affects an unknown function of the file /public/admin/roles/create of the component Roles Page. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12229
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectworlds expense_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-12229 is a persistent cross-site scripting (XSS) vulnerability in projectworlds Expense Management System version 1.0, specifically in the Roles Page component at /public/admin/roles/create. It occurs because user input is not properly sanitized before being included in web pages, allowing an authenticated attacker to inject malicious scripts into the system. These scripts are stored in the database and executed in the browsers of other users, including administrators, when they view the affected pages. Exploitation requires authentication and some user interaction, and a proof-of-concept exploit is publicly available. [1, 2, 3]

Impact Analysis

This vulnerability can lead to session hijacking, unauthorized actions such as creating admin accounts or deleting passes, phishing attacks via injected fake login forms, keystroke logging, and website defacement. Since malicious scripts execute in the browsers of other users, attackers can steal session cookies and perform actions with the privileges of the compromised users, potentially compromising data integrity and security. [2, 3]

Detection Guidance

This vulnerability can be detected by testing the /public/admin/roles/create page for persistent cross-site scripting (XSS) by submitting typical XSS payloads such as <img src=x onerror=alert('XSS')> in form fields like 'Title'. Monitoring for unexpected JavaScript execution or alerts when viewing roles pages can indicate exploitation. Since the vulnerability requires authentication, testing should be done with valid credentials. There are no specific network commands provided, but manual or automated web application security testing tools can be used to inject and detect XSS payloads in the roles creation form. [2]

Mitigation Strategies

Immediate mitigation involves applying proper output encoding on user-supplied data before rendering it in HTML. Specifically, use PHP's htmlspecialchars() function with ENT_QUOTES and UTF-8 flags to encode inputs such as the 'Title' field in the roles creation page. For example, replace vulnerable code like echo $row['full_name']; with echo htmlspecialchars($row['full_name'], ENT_QUOTES, 'UTF-8');. Since no official patch is available, consider replacing the affected component or restricting access to the vulnerable page until a fix is implemented. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart