CVE-2025-12230
BaseFortify
Publication date: 2025-10-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectworlds | expense_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12230 is a persistent Cross-Site Scripting (XSS) vulnerability in projectworlds Expense Management System 1.0, specifically in the /public/admin/currencies/create file of the Currency Page component. Authenticated attackers can inject malicious JavaScript code into form fields such as Title, Symbol, and money format fields. This malicious code is stored in the database and executed in the browsers of other users, including administrators, when they view or interact with the affected pages. The vulnerability arises due to improper input sanitization and lack of output encoding, allowing attackers to execute scripts remotely. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking, unauthorized actions like creating admin accounts or deleting passes, phishing attacks through injected fake login forms, keystroke logging, and website defacement. Since the malicious scripts execute in the context of other users' browsers, attackers can steal sensitive information or perform actions on behalf of legitimate users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the XSS attack on the affected application. Specifically, log into the Expense Management System, navigate to the Add Currency page (/public/admin/currencies/create), and submit form fields such as "Title," "Symbol," "Money format for thousands," or "Money format for decimal" with a JavaScript payload like `<img src=x onerror=alert('XSS')>` or `<img src=x onerror=alert(document.cookie)>`. If the payload executes (e.g., an alert box appears), the system is vulnerable. Network detection could involve monitoring for suspicious HTTP POST requests containing such payloads targeting the currency creation endpoint. No specific command-line tools or commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying proper output encoding to sanitize user inputs before rendering them in HTML. Specifically, use PHP's `htmlspecialchars()` function with flags like `ENT_QUOTES` and `UTF-8` encoding to prevent execution of injected scripts. For example, replace vulnerable code such as `echo $row['full_name'];` with `echo htmlspecialchars($row['full_name'], ENT_QUOTES, 'UTF-8');`. Since no official patch is available, consider restricting access to the affected functionality to trusted users only or replacing the affected component with an alternative product. [1, 2]