Platform
php
Component
irifyscanresult
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Web-based Pharmacy Product Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the add-admin.php file, specifically within the handling of the txtpassword, txtfullname, and txtemail parameters. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-3821 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. An attacker could potentially steal sensitive pharmacy data, such as patient information or prescription details, if the application handles such data. The impact is amplified if the system is used in a shared hosting environment, as a compromised instance could potentially affect other applications hosted on the same server.
This vulnerability was publicly disclosed on 2025-04-20. A proof-of-concept exploit is likely available due to the public disclosure. The CVSS score is LOW (2.4), suggesting that exploitation may require specific user interaction or a targeted attack. There is no indication of active exploitation campaigns or inclusion in the CISA KEV catalog at this time.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-3821 is to upgrade to version 1.0.1 of the Web-based Pharmacy Product Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the txtpassword, txtfullname, and txtemail parameters within the add-admin.php file. Web application firewalls (WAFs) configured with rules to detect and block XSS payloads targeting these parameters can provide an additional layer of defense. Review and sanitize all user-supplied input before rendering it in the application's output.
Update to a patched version of the system. If no version is available, sanitize the inputs of the txtpassword, txtfullname, and txtemail fields in the add-admin.php file to prevent the execution of malicious JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3821 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Web-based Pharmacy Product Management System versions 1.0-1.0, allowing attackers to inject malicious scripts via parameters in the add-admin.php file.
You are affected if you are using SourceCodester Web-based Pharmacy Product Management System version 1.0. Upgrade to version 1.0.1 to resolve the issue.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on vulnerable parameters.
While there's no confirmed active exploitation, a proof-of-concept is likely available due to the public disclosure, making exploitation possible.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2025-3821.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.