Platform
php
Component
j0hn_upload_one
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Job Recruitment version 1.0. This flaw resides within the /parse/loadjob-details.php file and allows attackers to inject malicious scripts. Affected users should upgrade to version 1.0.1 to address this security concern. The vulnerability was publicly disclosed on 2025-02-01.
Successful exploitation of CVE-2025-0961 allows an attacker to inject arbitrary JavaScript code into the application. This can lead to various malicious outcomes, including session hijacking, defacement of the Job Recruitment interface, and redirection of users to phishing sites. The attacker can leverage this to steal sensitive user data or compromise the integrity of the application. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the affected system.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No known active campaigns targeting this specific CVE have been reported as of the publication date. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure necessitates prompt remediation.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0961 is to upgrade Job Recruitment to version 1.0.1, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing input validation and sanitization on the businessstreamname and companywebsiteurl parameters within the /parse/load_job-details.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Verify the upgrade by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the affected parameters after the upgrade.
Update to a patched version or apply a solution that correctly filters or escapes the inputs of the 'business_stream_name' and 'company_website_url' parameters in the file '/_parse/load_job-details.php' to prevent cross site scripting (XSS) injection. Validating and sanitizing user input is crucial. If a patched version is not available, consider disabling or removing the affected functionality until a solution can be applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0961 is a cross-site scripting (XSS) vulnerability in Job Recruitment version 1.0, affecting the /parse/loadjob-details.php file. It allows attackers to inject malicious scripts.
You are affected if you are using Job Recruitment version 1.0 and have not upgraded to version 1.0.1. The vulnerability resides in the /parse/loadjob-details.php file.
Upgrade Job Recruitment to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the affected parameters.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Prompt remediation is recommended.
Refer to the official Job Recruitment project website or repository for the advisory related to CVE-2025-0961.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.