Platform
php
Component
19d21e7fdbaf3512fccfd75df3080657
Fixed in
1.0.1
CVE-2025-0295 describes a cross-site scripting (XSS) vulnerability discovered in Online Book Shop version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability specifically targets the /booklist.php file and is triggered by manipulating the 'subcatnm' parameter. A patch is available in version 1.0.1.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted 'subcatnm' parameter. When a user clicks on this link, the injected script will execute within their browser context, under the user's privileges. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or deface the website. The impact is limited to the user interacting with the malicious link, but the consequences can be severe, including account compromise and data theft. The vulnerability's location within a book listing page suggests a potential attack vector targeting users browsing the online store.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No known active campaigns targeting this specific CVE have been reported as of the publication date. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure necessitates prompt remediation. The vulnerability is tracked by the NVD and CISA.
Exploit Status
EPSS
0.24% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0295 is to upgrade to version 1.0.1 of Online Book Shop, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'subcatnm' parameter in /booklist.php. This should include escaping any potentially harmful characters before rendering the parameter in the HTML output. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Review and update any existing security policies to address XSS vulnerabilities.
Update to a patched version or apply a solution that filters or escapes the input of the 'subcatnm' parameter in the '/booklist.php' file to prevent XSS code execution. Validating and sanitizing user input is crucial to prevent this type of vulnerability. If a patched version is not available, consider disabling or removing the affected functionality until a solution can be applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0295 is a cross-site scripting (XSS) vulnerability affecting Online Book Shop versions 1.0 through 1.0, allowing attackers to inject malicious scripts.
If you are using Online Book Shop version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'subcatnm' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the Online Book Shop project's official website or security advisory page for the latest information and updates regarding CVE-2025-0295.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.