CVE-2025-14200
BaseFortify
Publication date: 2025-12-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alokjaiswal | hotel-management-services-using-mysql-and-php | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `/usersub.php` in the Hotel-Management-services-using-MYSQL-and-php application and testing for cross-site scripting (XSS) by injecting typical XSS payloads into inputs processed by this page. Additionally, attackers can identify vulnerable targets using Google dorking with queries like `inurl:usersub.php`. Specific commands to detect the vulnerability include using curl or wget to send crafted requests to `/usersub.php` with XSS payloads and observing if the payload is reflected unescaped in the response. For example: `curl -G --data-urlencode 'input=<script>alert(1)</script>' http://target/usersub.php` and checking the response for the script tag. Since a proof-of-concept exploit is publicly available, it can be used as a reference for detection techniques. [1]
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue found in the /usersub.php file of the Request Pending Page component in the alokjaiswal Hotel-Management-services-using-MYSQL-and-php application. It allows an attacker to remotely inject malicious scripts by manipulating an unknown function, potentially leading to unauthorized script execution in the context of the affected web application.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute malicious scripts in the user's browser, which may lead to session hijacking, defacement, or redirection to malicious sites. Although the impact on confidentiality and availability is rated low, the integrity of the application can be compromised, potentially affecting user trust and application behavior.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected component with an alternative product until a fix is available, as no vendor-provided mitigations or patches exist. Additionally, applying web application firewall (WAF) rules to filter and block malicious input targeting `/usersub.php` can help reduce risk. It is also advisable to sanitize and validate all user inputs on the server side to prevent XSS attacks. Monitoring and restricting access to the vulnerable page and educating users about the risks of interacting with untrusted inputs can further mitigate exploitation. [1]