Executive Summary

CVE-2025-65132 is a reflected Cross-Site Scripting (XSS) vulnerability in version 1.0 of the hotel-management-php application by alandsilva26. It occurs in the /public/admin/edit_room.php script where the room_id GET parameter is taken from the URL and directly inserted into the HTML response without any encoding or validation.

This lack of sanitization allows an attacker to inject and execute arbitrary JavaScript code in the browsers of users who visit a specially crafted URL, including administrators.

The vulnerability is non-persistent (reflected) and can be exploited remotely without authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including:

• Confidentiality risk: Attackers can steal session cookies and authentication tokens if they are not properly protected, potentially hijacking user sessions.
• Integrity risk: Attackers can perform unauthorized actions such as modifying hotel room data or creating admin accounts.
• Availability risk: Attackers may cause forced logouts or deface the user interface.

Because the vulnerable page is admin-facing, successful exploitation can lead to full compromise of the application.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the /public/admin/edit_room.php endpoint with crafted URLs that include malicious JavaScript payloads in the room_id GET parameter. If the injected script executes in the browser, the vulnerability is present.

A simple detection method is to use curl or a web browser to request a URL such as:

• curl -i "http://target-site/public/admin/edit_room.php?room_id=<script>alert('XSS')</script>"

If the response contains the injected script without encoding or sanitization, the vulnerability exists.

Additionally, automated web vulnerability scanners that test for reflected XSS vulnerabilities on GET parameters can be used to detect this issue.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Apply output encoding on the room_id parameter using htmlspecialchars($room_id, ENT_QUOTES, 'UTF-8') before echoing it in the HTML response.
• Enforce strict server-side input validation to accept only numeric integers for the room_id parameter and reject invalid inputs with HTTP 400 errors.
• Implement a Content Security Policy (CSP) header such as Content-Security-Policy: default-src 'self' to reduce the impact of XSS.
• Set admin session cookies with HttpOnly and SameSite=Strict attributes to prevent cookie theft via JavaScript.
• Avoid echoing raw PHP warnings or user input in responses; instead, log errors server-side only.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to execute arbitrary JavaScript in the browsers of administrative users, which can lead to the exfiltration of session cookies and authentication tokens if not properly protected. This poses a high risk to confidentiality and integrity of sensitive data.

Such unauthorized access and potential data leakage can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Because the vulnerability affects an admin-facing page and can lead to full application compromise, it increases the risk of violating compliance requirements related to data confidentiality, integrity, and availability.

Useful 0 Not Useful 0