Plateforme
php
Composant
tutorial
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Client Details System version 1.0. This flaw allows a remote attacker to inject malicious scripts, potentially leading to session hijacking or defacement of the application. The vulnerability resides within an unknown function of the /admin/manage-users.php file. Affected versions include 1.0, and a fix is available in version 1.0.1.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information, such as session cookies, redirect users to malicious websites, or modify the content displayed on the application. Given the location of the vulnerable file (/admin/manage-users.php), an attacker could potentially target administrators, gaining elevated privileges and access to sensitive data. The public availability of an exploit significantly increases the risk of widespread exploitation.
A public proof-of-concept (PoC) for this vulnerability is available, indicating a relatively high likelihood of exploitation. The vulnerability was publicly disclosed on 2025-10-27. While the CVSS score is LOW (2.4), the availability of a PoC and the potential for administrator targeting elevate the risk. No KEV listing or confirmed exploitation campaigns have been reported at this time.
Administrators and users with access to the /admin/manage-users.php page are at the highest risk. Organizations using Client Details System 1.0 in production environments, particularly those without robust input validation and output encoding practices, are also vulnerable. Shared hosting environments where multiple users share the same server instance are at increased risk due to the potential for cross-tenant exploitation.
• php / web:
curl -I 'http://your-server.com/admin/manage-users.php?param=<script>alert(1)</script>' | grep -i 'content-type'• php / web: Examine /admin/manage-users.php for unescaped user input used in output.
• generic web: Monitor access logs for unusual requests to /admin/manage-users.php with suspicious parameters.
disclosure
poc
Statut de l'Exploit
EPSS
0.08% (percentile 23%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-12282 is to upgrade to version 1.0.1 of Client Details System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /admin/manage-users.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and harden access controls to the /admin/manage-users.php page to limit potential attack surface.
Actualizar a una versión parcheada del software. Si no hay una versión disponible, revisar el código en /admin/manage-users.php y aplicar las medidas de seguridad necesarias para evitar la inyección de código malicioso a través de la entrada de usuarios. Escapar o sanitizar las entradas de usuario antes de mostrarlas en la página.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-12282 is a cross-site scripting (XSS) vulnerability in Client Details System 1.0 that allows remote attackers to inject malicious scripts via the /admin/manage-users.php file.
You are affected if you are running Client Details System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the /admin/manage-users.php page.
A public proof-of-concept is available, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the Client Details System vendor's website or security advisory page for the official advisory regarding CVE-2025-12282.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.