Plattform
php
Behoben in
1.0.1
CVE-2025-15214 describes a cross-site scripting (XSS) vulnerability discovered in Campcodes Park Ticketing System, specifically affecting version 1.0. This flaw allows attackers to inject malicious scripts into the system, potentially compromising user data and system integrity. The vulnerability resides within the savepricing function of the adminclass.php file and can be exploited remotely. A patch is expected to address this issue.
Successful exploitation of CVE-2025-15214 enables an attacker to inject arbitrary JavaScript code into the Park Ticketing System. This code can then be executed in the context of a user's browser when they interact with the affected page. The impact ranges from session hijacking and defacement to the theft of sensitive user data, such as login credentials or personal information. Because the vulnerability is remotely exploitable, attackers can target users without requiring local access to the system. The public availability of an exploit significantly increases the risk of widespread exploitation.
This vulnerability has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The CVE was published on 2025-12-30. The CVSS score of 2.4 (LOW) reflects the relatively limited impact and ease of exploitation, but the public availability of the exploit warrants immediate attention. No KEV listing is currently available.
Administrators and users of Campcodes Park Ticketing System version 1.0 are at risk. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability.
• generic web: Use curl to test the admin_class.php endpoint with crafted payloads containing <script>alert(1)</script> in the name or ride parameters. Monitor access logs for suspicious requests containing similar patterns.
curl 'http://example.com/admin_class.php?name=<script>alert(1)</script>&ride=test'• php: Examine the adminclass.php file for the savepricing function. Look for missing or inadequate input validation and output encoding of the name and ride parameters. Review the application's overall security configuration for potential weaknesses.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-15214 is to upgrade to a patched version of Campcodes Park Ticketing System as soon as it becomes available. Until a patch is applied, consider implementing input validation and output encoding on the name and ride parameters within the save_pricing function to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security configurations to minimize the attack surface.
Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la ejecución de código XSS. Validar y limpiar las entradas del usuario en la función save_pricing del archivo admin_class.php.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15214 is a cross-site scripting (XSS) vulnerability affecting Campcodes Park Ticketing System version 1.0, allowing attackers to inject malicious scripts.
If you are using Campcodes Park Ticketing System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of Campcodes Park Ticketing System. Until then, implement input validation and output encoding.
A proof-of-concept exploit is publicly available, indicating a high probability of active exploitation.
Please refer to the Campcodes website or security channels for the official advisory regarding CVE-2025-15214.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.