Scan free
LOWCVE-2025-1905CVSS 3.5

CVE-2025-1905: XSS in Employee Management System 1.0

Platform

php

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-1905 is a problematic cross-site scripting (XSS) vulnerability identified in SourceCodester Employee Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts through the manipulation of the 'Full Name' argument within the employee.php file. The vulnerability is remotely exploitable and has been publicly disclosed, posing a potential risk to user data and system integrity. A patch is available in version 1.0.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-1905 allows an attacker to inject arbitrary JavaScript code into the Employee Management System. This can lead to a variety of malicious outcomes, including session hijacking, phishing attacks, and defacement of the application's user interface. An attacker could steal sensitive user data, such as login credentials or personal information stored within the system. Furthermore, the injected script could be used to redirect users to malicious websites or to perform actions on their behalf, potentially granting the attacker unauthorized access to the system and its resources. The impact is amplified if the system handles sensitive employee data or is integrated with other critical business applications.

Exploitation Context

CVE-2025-1905 has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No known active campaigns targeting this vulnerability have been reported as of the publication date. Public proof-of-concept code may be available, further facilitating exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard10–15% still vulnerable

EPSS

0.10% (28% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

VendorSourceCodester
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-1905 is to immediately upgrade to version 1.0.1 of the Employee Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Full Name' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting the employee.php file. Regularly review and update the application's security configuration to ensure best practices are followed. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'Full Name' field and verifying that it is properly sanitized.

How to fix

Actualice a una versión parcheada del software. Si no hay una versión disponible, filtre las entradas del campo 'Full Name' para evitar la ejecución de código JavaScript malicioso. Considere deshabilitar temporalmente la funcionalidad hasta que se aplique una solución.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-1905 — XSS in Employee Management System 1.0?

CVE-2025-1905 is a cross-site scripting (XSS) vulnerability affecting versions 1.0-1.0 of the Employee Management System, allowing attackers to inject malicious scripts via the 'Full Name' parameter.

Am I affected by CVE-2025-1905 in Employee Management System 1.0?

You are affected if you are using Employee Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to mitigate the risk.

How do I fix CVE-2025-1905 in Employee Management System 1.0?

Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Full Name' field.

Is CVE-2025-1905 being actively exploited?

While no active campaigns are confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems closely.

Where can I find the official Employee Management System advisory for CVE-2025-1905?

Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2025-1905.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs