Plateforme
php
Composant
bloodbanksystem_poc
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in code-projects Blood Bank System, affecting versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the /Blood/A-.php file and is triggered by manipulating the Bloodname parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-1586 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the Blood Bank System interface. The attacker could potentially gain access to sensitive patient data or manipulate the system's functionality. The remote nature of the vulnerability means an attacker does not need local access to exploit it.
This vulnerability was publicly disclosed on 2025-02-23. A proof-of-concept exploit is likely available given the public disclosure. The CVSS score is LOW, suggesting that exploitation may require specific user interaction or a complex attack chain. There is no indication of active exploitation campaigns at this time, nor is it listed on CISA KEV.
Organizations utilizing the code-projects Blood Bank System, particularly those running version 1.0, are at risk. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability.
• php / web:
curl -s -X POST "http://your-blood-bank-system/Blood/A-.php?Bloodname=<script>alert(1)</script>" | grep "<script>alert(1)</script>"• generic web:
curl -I http://your-blood-bank-system/Blood/A-.php?Bloodname=<script>alert(1)</script>• generic web: Examine access logs for requests to /Blood/A-.php containing suspicious characters or script tags in the Bloodname parameter.
disclosure
Statut de l'Exploit
EPSS
0.13% (percentile 33%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-1586 is to upgrade to version 1.0.1 of the Blood Bank System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Bloodname parameter within the /Blood/A-.php file to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the Bloodname parameter and verifying that the script is not executed.
Actualizar a una versión parcheada del sistema Blood Bank System. Si no hay una versión disponible, sanitizar la entrada 'Bloodname' para evitar la ejecución de código JavaScript malicioso. Implementar validación y codificación de salida para prevenir ataques XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-1586 is a cross-site scripting (XSS) vulnerability in Blood Bank System versions 1.0 through 1.0, allowing attackers to inject malicious scripts via the Bloodname parameter in /Blood/A-.php.
You are affected if you are running Blood Bank System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the Bloodname parameter.
There is no current indication of active exploitation campaigns, but a proof-of-concept exploit is likely available due to public disclosure.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-1586.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.