CVE-2025-14194
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in code-projects Employee Profile Management System 1.0. This issue affects some unknown processing of the file /view_personnel.php. The manipulation of the argument per_address/dr_school/other_school leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-07
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14194
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
carmelogarcia employee_profile_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the code-projects Employee Profile Management System 1.0, specifically in the /view_personnel.php file. It involves improper handling of the per_address, dr_school, or other_school arguments, which allows an attacker to perform a cross-site scripting (XSS) attack. This means an attacker can inject malicious scripts remotely that may execute in the context of a user's browser.

Impact Analysis

The vulnerability can impact you by allowing an attacker to execute malicious scripts in your browser when you access the affected system. This can lead to unauthorized actions such as session hijacking, defacement, or redirecting users to malicious sites. However, the CVSS scores indicate a relatively low severity with limited impact on confidentiality and availability, but some impact on integrity.

Detection Guidance

This vulnerability can be detected by searching for the presence of the vulnerable file /view_personnel.php and checking if the parameters per_address, dr_school, or other_school are susceptible to injection of malicious scripts. One method is to use Google dorking with the query inurl:view_personnel.php to identify potentially vulnerable targets. Additionally, testing can be performed by submitting payloads such as <script>alert('XSS');</script> into the affected fields (per_address, dr_school, other_school) via authenticated user input forms and observing if the script executes when viewing personnel profiles or reports. There are no specific network commands provided, but manual testing through the web interface or automated scanning tools targeting these parameters can be used. [1, 3]

Mitigation Strategies

Immediate mitigation steps include applying proper HTML output encoding to all user-controlled data before rendering it in the web pages, for example by using PHP's htmlspecialchars() function with appropriate flags (e.g., ENT_QUOTES, 'UTF-8'). Additionally, sanitize and validate all inputs on save or update to reject or normalize inputs containing script tags or event handlers. Enforce length and character set constraints on profile fields. If possible, replace the affected product with an alternative solution as no known countermeasures are documented. Adopting a global output-encoding strategy using centralized helper functions is recommended to ensure no raw database content is printed directly in templates. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart