Plateforme
php
Composant
online-bike-rental
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Online Bike Rental versions 1.0 through 1.0. This flaw resides within the /vehical-details.php file, specifically impacting the HTTP GET Request Handler. Successful exploitation allows remote attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability is resolved in version 1.0.1.
The XSS vulnerability in Online Bike Rental allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the application handles sensitive data or is integrated with other systems, as the attacker could potentially gain access to this data or use the compromised application as a launchpad for further attacks. While the CVSS score is LOW, the potential for user compromise and data theft remains a significant concern.
CVE-2025-0339 was publicly disclosed on 2025-01-09. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's LOW CVSS score suggests a lower probability of active exploitation, but diligent monitoring is still recommended. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using Online Bike Rental version 1.0 are at risk. Shared hosting environments where multiple users share the same server are particularly vulnerable, as an attacker could potentially compromise the entire server if they successfully exploit the vulnerability on one user's account.
• php / web:
curl -I 'http://your-bike-rental-site.com/vehical-details.php?param=<script>alert(1)</script>' | grep HTTP/1.1• php / web: Examine /vehical-details.php for lack of input sanitization or output encoding on user-supplied parameters. • generic web: Monitor access logs for unusual GET requests to /vehical-details.php containing suspicious characters like <script> or onerror.
disclosure
Statut de l'Exploit
EPSS
0.17% (percentile 38%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-0339 is to upgrade Online Bike Rental to version 1.0.1 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the /vehical-details.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security rules to reflect the latest threat landscape.
Mettre à jour vers une version corrigée ou appliquer les mesures de sécurité nécessaires pour éviter l'injection de code XSS. Valider et échapper correctement les entrées utilisateur dans le fichier /vehical-details.php, en particulier dans le gestionnaire de requêtes HTTP GET. Implémenter une politique de sécurité de contenu (CSP) pour atténuer les risques de XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-0339 is a cross-site scripting (XSS) vulnerability affecting Online Bike Rental versions 1.0 through 1.0, allowing attackers to inject malicious scripts via the /vehical-details.php file.
You are affected if you are using Online Bike Rental version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 or later. As a temporary measure, implement input validation and output encoding on the /vehical-details.php page.
No active exploitation has been confirmed at this time, but diligent monitoring is recommended.
Refer to the Online Bike Rental project's official website or repository for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.