Platform
php
Component
cveee
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Complete Online Beauty Parlor Management System version 1.0. This flaw allows attackers to inject malicious scripts into the application via manipulation of the 'Name' parameter within the /admin/customer-list.php file. The vulnerability is remotely exploitable and a public proof-of-concept is available, posing a potential risk to administrators.
Successful exploitation of CVE-2025-13484 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative interface, and theft of sensitive information such as user credentials or customer data. Given the administrative context, an attacker could potentially gain control over the entire system, impacting all users and data stored within the beauty parlor management system. The availability of a public proof-of-concept significantly increases the likelihood of exploitation.
CVE-2025-13484 is a relatively low-severity vulnerability due to its XSS nature and the requirement for administrator access. However, the availability of a public proof-of-concept indicates a higher probability of exploitation, particularly if the system is publicly accessible and administrators are not diligent about security practices. The vulnerability was publicly disclosed on 2025-11-20.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13484 is to upgrade to a patched version of Complete Online Beauty Parlor Management System. As no fixed version is specified, immediate action is crucial. In the interim, implement a Web Application Firewall (WAF) rule to sanitize user input for the 'Name' parameter in /admin/customer-list.php, specifically filtering for potentially malicious JavaScript code. Additionally, review and restrict access to the /admin/customer-list.php endpoint to authorized administrators only. After implementing these mitigations, verify by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the 'Name' parameter and confirming that it is properly blocked.
Update to a patched version of the beauty parlor management system. If no version is available, sanitize user inputs, especially the 'Name' argument in the file /admin/customer-list.php, to prevent XSS code execution. Contact the vendor for a security patch.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13484 is a cross-site scripting (XSS) vulnerability affecting Complete Online Beauty Parlor Management System version 1.0, allowing attackers to inject malicious scripts via the Name parameter in /admin/customer-list.php.
If you are running Complete Online Beauty Parlor Management System version 1.0, you are potentially affected by this vulnerability. Upgrade as soon as possible.
Upgrade to a patched version of Complete Online Beauty Parlor Management System. If upgrading is not immediately possible, implement a WAF rule to sanitize user input for the Name parameter.
While active exploitation is not confirmed, a public proof-of-concept exists, increasing the likelihood of exploitation.
Check the Campcodes website or relevant security forums for updates and advisories regarding CVE-2025-13484.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.