Platform
php
Component
multi-restaurant-table-reservation-system-search
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Vehicle Management System versions 1.0 through 1.0. This vulnerability affects the /confirmbooking.php file, allowing attackers to inject malicious scripts via manipulation of the 'id' argument. The vulnerability is exploitable remotely and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-2377 allows an attacker to inject arbitrary JavaScript code into the Vehicle Management System. This could lead to session hijacking, defacement of the application, or redirection of users to malicious websites. The attacker could potentially steal sensitive information, such as user credentials or vehicle data, depending on the application's functionality and data handling practices. While the CVSS score is LOW, the ease of remote exploitation and potential for user interaction makes it a concerning issue, particularly for systems with limited security controls.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No specific KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and public disclosure. The vulnerability was published on 2025-03-17.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2377 is to upgrade to version 1.0.1 of the SourceCodester Vehicle Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /confirmbooking.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and harden all other input points to prevent similar vulnerabilities.
Update to a patched version of the vehicle management system. If a patched version is not available, sanitize the input of the 'id' parameter in the confirmbooking.php file to prevent the execution of malicious JavaScript code. Use XSS-specific escaping functions when displaying user input.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2377 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Vehicle Management System versions 1.0–1.0. It allows attackers to inject malicious scripts via the /confirmbooking.php file.
You are affected if you are using SourceCodester Vehicle Management System version 1.0 or 1.0. Check your version and upgrade immediately if vulnerable.
Upgrade to version 1.0.1. If upgrading is not possible, implement input validation and output encoding on the /confirmbooking.php page.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the SourceCodester website or relevant security forums for the official advisory regarding CVE-2025-2377.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.