CVE-2025-63611
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-08

Last updated on: 2026-01-12

Assigner: MITRE

Description
Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). When an administrator opens the complaint, injected HTML/JavaScript executes in the admin's browser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63611
EUVD
EUVD-2026-1516
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul hostel_management_system 2.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue in the phpgurukul Hostel Management System v2.1. It occurs because user-provided complaint fields (specifically the 'Explain the Complaint' field) submitted via /register-complaint.php are stored and then displayed without proper escaping in the admin viewer page (/admin/complaint-details.php). As a result, when an administrator views the complaint, any injected HTML or JavaScript code executes in the admin's browser.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the administrator's browser when they view the complaint details. This can lead to unauthorized actions such as stealing admin session cookies, defacing the admin interface, or performing actions on behalf of the admin, potentially compromising the security and integrity of the system.

Detection Guidance

This vulnerability can be detected by testing the complaint submission form (/register-complaint.php) for Cross-Site Scripting (XSS) by injecting HTML or JavaScript payloads into the 'Explain the Complaint' field and then checking if the injected code executes when viewing the complaint in the admin viewer (/admin/complaint-details.php?cid=<id>). Commands to detect this could include using curl or wget to submit payloads and then retrieving the complaint details page to see if the payload is rendered unescaped. For example, use curl to POST a payload: curl -d "complaint=<script>alert(1)</script>" -X POST http://yourhost/register-complaint.php and then fetch the complaint details page with curl or a browser to observe if the script executes.

Mitigation Strategies

Immediate mitigation steps include sanitizing and escaping user input in the 'Explain the Complaint' field before storing or rendering it, especially in the admin viewer page (/admin/complaint-details.php). Applying input validation and output encoding to prevent execution of injected scripts is critical. Additionally, restricting admin access to trusted users and using Content Security Policy (CSP) headers can help reduce the impact of XSS attacks until a patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63611. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart