Plateforme
php
Composant
my-cve
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in Complete Online Beauty Parlor Management System version 1.0. This weakness resides within an unknown function of the file /admin/bwdates-reports-details.php, allowing attackers to inject malicious scripts. Successful exploitation can lead to unauthorized access and manipulation of user data, impacting the integrity of the beauty parlor management system. The vulnerability is publicly known and a proof-of-concept is available.
The primary impact of this XSS vulnerability is the potential for attackers to inject malicious JavaScript code into the application. This code can then be executed in the context of a user's browser when they access the affected page. An attacker could leverage this to steal session cookies, redirect users to phishing sites, or deface the website. The remote nature of the vulnerability means that an attacker does not need to be on the same network as the server to exploit it. Given the sensitive nature of beauty parlor management data (customer information, appointment details, payment information), a successful attack could have significant consequences for both the business and its clients.
This vulnerability has been publicly disclosed and a proof-of-concept is available, indicating a higher risk of exploitation. It is not currently listed on CISA KEV. The CVSS score of 2.4 (LOW) reflects the relatively limited impact and ease of exploitation, but the public availability of a PoC increases the likelihood of attacks. Monitor for unusual activity and unauthorized script execution.
Beauty parlors and businesses utilizing Complete Online Beauty Parlor Management System version 1.0 are at risk. This includes those relying on the system for appointment scheduling, customer management, and payment processing. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• php / server:
grep -r 'bwdates-reports-details.php' /var/www/html/• generic web:
curl -I 'http://your-website.com/admin/bwdates-reports-details.php?fromdate=<script>alert("XSS")</script>' | grep 'XSS'disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 12%)
CISA SSVC
Vecteur CVSS
The recommended mitigation is to upgrade to a patched version of Complete Online Beauty Parlor Management System. As no fixed version is currently available, immediate steps should focus on reducing the attack surface. Implement a Web Application Firewall (WAF) rule to filter out potentially malicious input in the 'fromdate' parameter of /admin/bwdates-reports-details.php. Input validation and sanitization on the server-side are also crucial to prevent the injection of malicious scripts. Consider restricting access to the /admin directory to authorized personnel only. Regularly review and update security configurations.
Actualice el sistema Complete Online Beauty Parlor Management System a una versión parcheada que solucione la vulnerabilidad de Cross-Site Scripting (XSS). Consulte al proveedor para obtener la versión corregida o aplique las medidas de seguridad necesarias para evitar la ejecución de scripts maliciosos.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-14991 is a cross-site scripting (XSS) vulnerability affecting Complete Online Beauty Parlor Management System version 1.0, allowing attackers to inject malicious scripts via the 'fromdate' parameter.
If you are using Complete Online Beauty Parlor Management System version 1.0, you are potentially affected by this XSS vulnerability. Immediate mitigation steps are necessary.
Upgrade to a patched version of the software is the recommended fix. Until a patch is available, implement WAF rules and input validation to mitigate the risk.
While active exploitation is not confirmed, a public proof-of-concept exists, increasing the likelihood of attacks. Continuous monitoring is advised.
Check the Campcodes website or relevant security forums for updates and advisories regarding CVE-2025-14991.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.