Scan free
LOWCVE-2025-13577CVSS 3.5

CVE-2025-13577: XSS in PHPGurukul Hostel Management System

Platform

php

Component

hostel-management-system

Fixed in

2.1.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-13577 describes a cross-site scripting (XSS) vulnerability discovered in PHPGurukul Hostel Management System version 2.1. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides within the /register-complaint.php file and can be triggered by manipulating the cdetails argument. A public proof-of-concept is available.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-13577 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, phishing attacks, and defacement of the Hostel Management System's interface. An attacker could steal sensitive user data, such as login credentials or personal information stored within the application. The impact is amplified if the system is used to manage sensitive student or staff data, potentially leading to a breach of privacy and regulatory compliance issues. Given the public availability of a proof-of-concept, the risk of exploitation is considered elevated.

Exploitation Context

CVE-2025-13577 has been publicly disclosed and a proof-of-concept exploit is available, indicating a higher probability of exploitation. The vulnerability is not currently listed on CISA KEV. The LOW CVSS score reflects the relatively simple exploitation process and potential limited impact, but the public availability of the exploit increases the risk. Active campaigns targeting this specific vulnerability are not currently confirmed, but the ease of exploitation warrants vigilance.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.03% (10% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componenthostel-management-system
VendorPHPGurukul
Affected rangeFixed in
2.1 – 2.12.1.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 181 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-13577 is to upgrade to a patched version of PHPGurukul Hostel Management System. Since a fixed version is not specified, thoroughly review the vendor's release notes for updates addressing XSS vulnerabilities. As a temporary workaround, implement strict input validation and output encoding on the cdetails parameter within the /register-complaint.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly scan the application for XSS vulnerabilities using automated tools.

How to fix

Update to a patched version of the PHPGurukul Hostel Management System. Contact the vendor for a corrected version or apply the necessary security measures to prevent XSS attacks in the register-complaint.php file.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13577 — XSS in PHPGurukul Hostel Management System?

CVE-2025-13577 is a cross-site scripting (XSS) vulnerability in PHPGurukul Hostel Management System version 2.1, allowing attackers to inject malicious scripts via the 'cdetails' parameter in /register-complaint.php.

Am I affected by CVE-2025-13577 in PHPGurukul Hostel Management System?

If you are using PHPGurukul Hostel Management System version 2.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.

How do I fix CVE-2025-13577 in PHPGurukul Hostel Management System?

Upgrade to a patched version of PHPGurukul Hostel Management System. If a patch is not available, implement input validation and output encoding on the 'cdetails' parameter and consider using a WAF.

Is CVE-2025-13577 being actively exploited?

While active campaigns are not confirmed, a proof-of-concept is publicly available, increasing the risk of exploitation.

Where can I find the official PHPGurukul advisory for CVE-2025-13577?

Refer to the PHPGurukul website and security advisories for updates and information regarding CVE-2025-13577.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs