CVE-2025-14205
BaseFortify
Publication date: 2025-12-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | chamber_of_commerce_membership_management_system | 1.0 |
| fabian | chamber_of_commerce_membership_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue found in the Chamber of Commerce Membership Management System 1.0, specifically in the /membership_profile.php file within the Your Info Handler component. It occurs when an attacker manipulates input fields such as Full Name, Address, City, or State, allowing malicious scripts to be executed remotely.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute malicious scripts in the context of the affected web application, potentially leading to unauthorized actions performed on behalf of legitimate users, session hijacking, or defacement. However, the CVSS scores indicate a low to moderate impact, with no confidentiality or availability impact but some integrity impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable file /membership_profile.php in the code-projects Chamber of Commerce Membership Management System version 1.0. Additionally, Google dorking can be used with the query 'inurl:membership_profile.php' to identify potentially vulnerable targets. To test for the vulnerability, you can attempt to inject typical XSS payloads into the Full Name, Address, City, or State fields and observe if the input is reflected unsanitized in the HTML output. For example, using curl or wget to send crafted HTTP requests with script tags in these parameters and checking the response for reflected scripts can help detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected component with an alternative product, as no known countermeasures or patches have been documented. Additionally, applying proper input validation and output encoding (such as using htmlspecialchars() in PHP) on the Full Name, Address, City, and State fields in /membership_profile.php can help prevent the XSS vulnerability. Restricting user input to safe characters and sanitizing all user-controllable inputs before rendering them in HTML output is recommended. Until a fix is applied, limiting access to the vulnerable page and monitoring for suspicious activity may reduce risk. [1, 4]