CVE-2025-12303
BaseFortify
Publication date: 2025-10-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | curfew_e-pass_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12303 is a Stored Cross-Site Scripting (XSS) vulnerability in PHPGurukul Curfew e-Pass Management System version 1.0, specifically in the admin-profile.php file. It occurs because user inputs such as 'adminname' and 'email' are not properly validated or encoded before being stored and displayed. This allows an attacker to inject malicious JavaScript code that executes in the browsers of administrators who view the affected profile page. The vulnerability requires authenticated access and some user interaction to exploit. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including hijacking of administrator sessions, unauthorized administrative actions, theft of sensitive data, defacement of pages, and redirection of users to malicious websites. If an attacker compromises an administrator account, they could gain full control over the management system, manipulate data, manage users, and change system configurations, thereby threatening the integrity and security of the system. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable admin-profile.php page and testing the input parameters 'adminname' and 'email' for cross-site scripting (XSS) injection. One suggested method is using Google dorking with the query "inurl:admin-profile.php" to find potentially vulnerable targets. Additionally, a proof-of-concept payload such as "><script>alert('XSS Vulnerability Found')</script>" can be injected into the 'adminname' field to verify if the script executes, indicating the vulnerability. There are no specific network commands provided, but manual testing of the web interface inputs is recommended. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implementing contextual output encoding to escape user inputs before rendering them in HTML, preventing execution of injected scripts; 2) Enforcing strict server-side input validation and sanitization to reject malicious payloads before storage; 3) Applying a Content Security Policy (CSP) HTTP header to restrict execution of inline scripts and allow scripts only from trusted sources; 4) Conducting regular security audits to identify and fix vulnerabilities proactively. If possible, replacing the affected product with an alternative solution is also suggested. [4, 3, 2]