Plattform
php
Behoben in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in the Human Metapneumovirus Testing Management System, specifically affecting version 1.0. This flaw allows attackers to inject malicious scripts through manipulation of the 'email' parameter within the admin profile page (/profile.php). The vulnerability has been publicly disclosed and a patch is available in version 1.0.1, addressing the issue.
Successful exploitation of CVE-2025-2375 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Human Metapneumovirus Testing Management System. This can lead to session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive user data, including personal information and potentially medical testing results, depending on the system's data handling practices. The impact is amplified if the system is used in a healthcare setting, where patient data confidentiality is paramount.
This vulnerability was publicly disclosed on 2025-03-17. A proof-of-concept exploit is likely available given the public disclosure. The CVSS score is LOW, suggesting that exploitation may require specific user interaction or a targeted attack. There is no indication of active exploitation campaigns at this time, but the public availability of the vulnerability increases the risk of opportunistic attacks.
Healthcare organizations and laboratories utilizing the Human Metapneumovirus Testing Management System are particularly at risk, as the system likely handles sensitive patient data. Administrators and users with access to the admin profile page are also directly exposed to the vulnerability.
• php: Examine /profile.php for improper input validation of the 'email' parameter. Search for instances where user input is directly outputted to the page without proper encoding.
• generic web: Monitor access logs for requests to /profile.php with unusual or suspicious parameters in the 'email' field. Look for patterns indicative of XSS attempts (e.g., <script>).
• generic web: Use curl to test the /profile.php endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>) and verify that the payload is not executed.
disclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-2375 is to immediately upgrade the Human Metapneumovirus Testing Management System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'email' parameter in /profile.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /profile.php endpoint can provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the email field and verifying that the script is not executed.
Aktualisieren Sie das Human Metapneumovirus Testing Management System auf eine gepatchte Version oder implementieren Sie Eingabe-Sanitierungsmaßnahmen in der Datei profile.php, insbesondere im Argument 'email', um Cross-Site Scripting (XSS)-Angriffe zu verhindern. Validieren und maskieren Sie die Benutzereingabe, bevor Sie sie auf der Seite anzeigen, um die Ausführung von bösartigem Code zu vermeiden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-2375 is a cross-site scripting (XSS) vulnerability in Human Metapneumovirus Testing Management System version 1.0, allowing attackers to inject malicious scripts via the email parameter in /profile.php.
You are affected if you are running Human Metapneumovirus Testing Management System version 1.0. Upgrade to version 1.0.1 to resolve the issue.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'email' parameter in /profile.php.
There is no current indication of active exploitation, but the public disclosure increases the risk of opportunistic attacks.
Refer to the vendor's official website or security advisories for the most up-to-date information regarding CVE-2025-2375.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.