Plateforme
php
Composant
cve2
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Wazifa System versions 1.0 through 1.0. The vulnerability resides within the searchuser function of the /search_resualts.php file. Attackers can exploit this by manipulating the firstname or lastname arguments, potentially leading to malicious script execution. A fix is available in version 1.0.1.
Successful exploitation of CVE-2025-1209 allows an attacker to inject arbitrary JavaScript code into the Wazifa System application. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and redirection of users to phishing sites. The attacker could potentially steal sensitive user data, such as login credentials or personal information, depending on the application's functionality and data handling practices. Because the vulnerability is triggered via user input, it is relatively easy to exploit, especially if the application lacks proper input sanitization.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation means it could be targeted by opportunistic attackers. No known active campaigns or KEV listing at the time of writing. Public proof-of-concept code is likely to emerge given the disclosure.
Organizations and individuals using Wazifa System version 1.0 are at risk. Shared hosting environments where Wazifa System is deployed are particularly vulnerable, as attackers may be able to exploit the vulnerability through other tenants on the same server.
• php / web:
grep -r "firstname|lastname" /var/www/wazifasystem/search_resualts.php• generic web:
curl -I http://your-wazifa-system/search_resualts.php?firstname=<script>alert(1)</script>disclosure
Statut de l'Exploit
EPSS
0.27% (percentile 50%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-1209 is to upgrade Wazifa System to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the firstname and lastname parameters within the /search_resualts.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and strengthen the application's overall input sanitization practices to prevent similar vulnerabilities in the future. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload via the search functionality.
Actualice a una versión parcheada o aplique las correcciones necesarias en el archivo `/search_resualts.php` para evitar la ejecución de código XSS. Escapa o sanitiza las entradas de los parámetros `firstname` y `lastname` antes de mostrarlas en la página web. Valide y filtre los datos de entrada para prevenir inyección de código malicioso.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-1209 is a cross-site scripting (XSS) vulnerability in Wazifa System 1.0, allowing attackers to inject malicious scripts via the firstname/lastname parameters in /search_resualts.php.
Yes, if you are running Wazifa System version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 or later to mitigate the risk.
Upgrade Wazifa System to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the firstname and lastname parameters.
While no active campaigns are currently confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the Wazifa System project's official website or repository for the latest security advisories and updates related to CVE-2025-1209.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.