Platform
php
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in the Human Metapneumovirus Testing Management System, specifically affecting version 1.0. This flaw allows attackers to inject malicious scripts through manipulation of the 'email' parameter within the admin profile page (/profile.php). The vulnerability has been publicly disclosed and a patch is available in version 1.0.1, addressing the issue.
Successful exploitation of CVE-2025-2375 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Human Metapneumovirus Testing Management System. This can lead to session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive user data, including personal information and potentially medical testing results, depending on the system's data handling practices. The impact is amplified if the system is used in a healthcare setting, where patient data confidentiality is paramount.
This vulnerability was publicly disclosed on 2025-03-17. A proof-of-concept exploit is likely available given the public disclosure. The CVSS score is LOW, suggesting that exploitation may require specific user interaction or a targeted attack. There is no indication of active exploitation campaigns at this time, but the public availability of the vulnerability increases the risk of opportunistic attacks.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2375 is to immediately upgrade the Human Metapneumovirus Testing Management System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'email' parameter in /profile.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /profile.php endpoint can provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the email field and verifying that the script is not executed.
Update the Human Metapneumovirus Testing Management System to a patched version or implement input sanitization measures in the profile.php file, specifically on the 'email' argument, to prevent Cross-Site Scripting (XSS) attacks. Validate and escape user input before displaying it on the page to prevent malicious code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2375 is a cross-site scripting (XSS) vulnerability in Human Metapneumovirus Testing Management System version 1.0, allowing attackers to inject malicious scripts via the email parameter in /profile.php.
You are affected if you are running Human Metapneumovirus Testing Management System version 1.0. Upgrade to version 1.0.1 to resolve the issue.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'email' parameter in /profile.php.
There is no current indication of active exploitation, but the public disclosure increases the risk of opportunistic attacks.
Refer to the vendor's official website or security advisories for the most up-to-date information regarding CVE-2025-2375.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.