Platform
php
Component
my-cve
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in Complete Online Beauty Parlor Management System version 1.0. This weakness resides within an unknown function of the file /admin/bwdates-reports-details.php, allowing attackers to inject malicious scripts. Successful exploitation can lead to unauthorized access and manipulation of user data, impacting the integrity of the beauty parlor management system. The vulnerability is publicly known and a proof-of-concept is available.
The primary impact of this XSS vulnerability is the potential for attackers to inject malicious JavaScript code into the application. This code can then be executed in the context of a user's browser when they access the affected page. An attacker could leverage this to steal session cookies, redirect users to phishing sites, or deface the website. The remote nature of the vulnerability means that an attacker does not need to be on the same network as the server to exploit it. Given the sensitive nature of beauty parlor management data (customer information, appointment details, payment information), a successful attack could have significant consequences for both the business and its clients.
This vulnerability has been publicly disclosed and a proof-of-concept is available, indicating a higher risk of exploitation. It is not currently listed on CISA KEV. The CVSS score of 2.4 (LOW) reflects the relatively limited impact and ease of exploitation, but the public availability of a PoC increases the likelihood of attacks. Monitor for unusual activity and unauthorized script execution.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to upgrade to a patched version of Complete Online Beauty Parlor Management System. As no fixed version is currently available, immediate steps should focus on reducing the attack surface. Implement a Web Application Firewall (WAF) rule to filter out potentially malicious input in the 'fromdate' parameter of /admin/bwdates-reports-details.php. Input validation and sanitization on the server-side are also crucial to prevent the injection of malicious scripts. Consider restricting access to the /admin directory to authorized personnel only. Regularly review and update security configurations.
Update the Complete Online Beauty Parlor Management System to a patched version that resolves the Cross-Site Scripting (XSS) vulnerability. Consult the vendor for the corrected version or apply necessary security measures to prevent the execution of malicious scripts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14991 is a cross-site scripting (XSS) vulnerability affecting Complete Online Beauty Parlor Management System version 1.0, allowing attackers to inject malicious scripts via the 'fromdate' parameter.
If you are using Complete Online Beauty Parlor Management System version 1.0, you are potentially affected by this XSS vulnerability. Immediate mitigation steps are necessary.
Upgrade to a patched version of the software is the recommended fix. Until a patch is available, implement WAF rules and input validation to mitigate the risk.
While active exploitation is not confirmed, a public proof-of-concept exists, increasing the likelihood of attacks. Continuous monitoring is advised.
Check the Campcodes website or relevant security forums for updates and advisories regarding CVE-2025-14991.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.