Platform
php
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in code-projects Real Estate Property Management System, affecting versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating the CategoryId parameter within the /Admin/EditCategory file. A fix is available in version 1.0.1, addressing this security concern.
Successful exploitation of CVE-2025-1195 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Real Estate Property Management System. This can lead to session hijacking, credential theft, defacement of the application, or redirection to malicious websites. The remote nature of the vulnerability means an attacker doesn't need local access to exploit it. The impact is amplified if the administrator account is compromised, potentially granting control over the entire system and sensitive property data.
CVE-2025-1195 has been publicly disclosed. A proof-of-concept exploit is likely to emerge given the vulnerability's nature and public disclosure. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the ease of exploitation could increase this risk. The vulnerability was published on 2025-02-12.
Exploit Status
EPSS
0.27% (50% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1195 is to immediately upgrade the Real Estate Property Management System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the CategoryId parameter in /Admin/EditCategory to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies to prevent similar vulnerabilities.
Update to a patched version of the property management system. If a patched version is not available, sanitize the inputs of the CategoryId parameter in the /Admin/EditCategory file to prevent XSS code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1195 is a cross-site scripting (XSS) vulnerability affecting versions 1.0–1.0 of the Real Estate Property Management System, allowing attackers to inject malicious scripts via the CategoryId parameter.
You are affected if you are using Real Estate Property Management System version 1.0–1.0 and have not upgraded to version 1.0.1 or later.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the CategoryId parameter.
While exploitation is not confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems closely.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-1195.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.