CVE-2025-56605
Received Received - Intake
Reflected XSS in PuneethReddyHC Event Management System register.php

Publication date: 2026-02-26

Last updated on: 2026-02-26

Assigner: MITRE

Description
A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. The mobile POST parameter is improperly validated and echoed back in the HTTP response without sanitization, allowing an attacker to inject and execute arbitrary JavaScript code in the victim's browser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-56605
EUVD
EUVD-2025-208121
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
puneethreddihc event_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-56605 is a reflected Cross-Site Scripting (XSS) vulnerability in the register.php backend script of the PuneethReddyHC Event Management System version 1.0. The issue occurs because the mobile POST parameter is not properly validated or sanitized before being echoed back in the HTTP response.'}, {'type': 'paragraph', 'content': "This improper handling allows an attacker to inject arbitrary JavaScript code via a crafted POST request. When the victim's browser receives the response, the malicious script executes, potentially compromising the user's session or data."}] [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the browsers of users interacting with the vulnerable register.php script.

  • Stealing user session cookies or authentication tokens.
  • Performing actions on behalf of the user without their consent.
  • Redirecting users to malicious websites.
  • Defacing the website or displaying unwanted content.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a crafted POST request to the register.php backend script with a malicious payload in the mobile parameter and observing if the payload is reflected unsanitized in the HTTP response.'}, {'type': 'paragraph', 'content': 'For example, you can use the curl command to test for the vulnerability by sending a POST request with a JavaScript payload in the mobile parameter and checking if it appears in the response without encoding.'}, {'type': 'list_item', 'content': 'curl -X POST -d "mobile=<script>alert(\'XSS\')</script>" http://target-site/backend/register.php -i'}, {'type': 'paragraph', 'content': 'If the response contains the script tags and JavaScript code without any HTML entity encoding, the system is vulnerable to reflected XSS.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, you should sanitize or encode the user input before outputting it in the HTTP response.'}, {'type': 'paragraph', 'content': "Specifically, applying PHP's htmlspecialchars function on the mobile POST parameter will encode special characters and prevent script injection."}, {'type': 'list_item', 'content': "Use: echo htmlspecialchars($_POST['mobile'], ENT_QUOTES, 'UTF-8');"}, {'type': 'paragraph', 'content': 'This ensures that any HTML or JavaScript code submitted via the mobile parameter is safely encoded and not executed by the browser.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart