Plattform
php
Komponente
pocs
Behoben in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in CampCodes DepEd Equipment Inventory System, specifically affecting version 1.0. This issue resides in the processing of the /data/add_employee.php file, enabling attackers to inject malicious scripts. The vulnerability has been publicly disclosed and poses a risk to systems running the affected version. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-0348 allows an attacker to inject arbitrary JavaScript code into the DepEd Equipment Inventory System. This code can then be executed in the context of a user's browser when they access the affected page. The attacker could potentially steal session cookies, redirect users to malicious websites, or deface the application. The impact is primarily focused on user interaction and data theft, but could be amplified if the system handles sensitive information or is integrated with other critical systems. While the CVSS score is LOW, the public disclosure and ease of exploitation make it a significant concern.
This vulnerability was publicly disclosed on 2025-01-09. A proof-of-concept exploit is likely available due to the public disclosure. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The LOW CVSS score suggests a lower probability of widespread exploitation, but the public availability of the vulnerability increases the risk.
Organizations and institutions utilizing the DepEd Equipment Inventory System version 1.0, particularly those with limited resources for immediate patching, are at risk. Shared hosting environments where multiple users share the same server and application code are also at increased risk, as a vulnerability in one application can potentially impact others.
• php / web:
grep -r "<script" /var/www/html/data/add_employee.php• generic web:
curl -I http://your-deped-inventory-system/data/add_employee.php | grep -i "X-XSS-Protection"disclosure
Exploit-Status
EPSS
0.13% (33% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-0348 is to upgrade to version 1.0.1 of the DepEd Equipment Inventory System. This version contains a fix for the XSS vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on the /data/add_employee.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security configurations to minimize the attack surface.
Actualizar a una versión parcheada del sistema DepEd Equipment Inventory System. Si no hay una versión disponible, sanitizar las entradas del usuario en el archivo /data/add_employee.php para evitar la inyección de código malicioso. Validar y escapar los datos antes de mostrarlos en la página.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-0348 is a cross-site scripting (XSS) vulnerability affecting DepEd Equipment Inventory System version 1.0, allowing attackers to inject malicious scripts via the /data/add_employee.php file.
You are affected if you are using DepEd Equipment Inventory System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the /data/add_employee.php page.
While there are no confirmed reports of active exploitation, the public disclosure increases the likelihood of exploitation.
Refer to the CampCodes website or relevant security forums for the official advisory regarding CVE-2025-0348.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.