Platform
php
Component
pocs
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in CampCodes DepEd Equipment Inventory System, specifically affecting version 1.0. This issue resides in the processing of the /data/add_employee.php file, enabling attackers to inject malicious scripts. The vulnerability has been publicly disclosed and poses a risk to systems running the affected version. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-0348 allows an attacker to inject arbitrary JavaScript code into the DepEd Equipment Inventory System. This code can then be executed in the context of a user's browser when they access the affected page. The attacker could potentially steal session cookies, redirect users to malicious websites, or deface the application. The impact is primarily focused on user interaction and data theft, but could be amplified if the system handles sensitive information or is integrated with other critical systems. While the CVSS score is LOW, the public disclosure and ease of exploitation make it a significant concern.
This vulnerability was publicly disclosed on 2025-01-09. A proof-of-concept exploit is likely available due to the public disclosure. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The LOW CVSS score suggests a lower probability of widespread exploitation, but the public availability of the vulnerability increases the risk.
Exploit Status
EPSS
0.13% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0348 is to upgrade to version 1.0.1 of the DepEd Equipment Inventory System. This version contains a fix for the XSS vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on the /data/add_employee.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security configurations to minimize the attack surface.
Actualizar a una versión parcheada del sistema DepEd Equipment Inventory System. Si no hay una versión disponible, sanitizar las entradas del usuario en el archivo /data/add_employee.php para evitar la inyección de código malicioso. Validar y escapar los datos antes de mostrarlos en la página.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0348 is a cross-site scripting (XSS) vulnerability affecting DepEd Equipment Inventory System version 1.0, allowing attackers to inject malicious scripts via the /data/add_employee.php file.
You are affected if you are using DepEd Equipment Inventory System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the /data/add_employee.php page.
While there are no confirmed reports of active exploitation, the public disclosure increases the likelihood of exploitation.
Refer to the CampCodes website or relevant security forums for the official advisory regarding CVE-2025-0348.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.