Plateforme
php
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Art Gallery Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the /search.php file and can be triggered by manipulating the 'search' argument. A fix is available in version 1.0.1.
Successful exploitation of CVE-2025-2047 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, defacement of the Art Gallery Management System's web pages, and redirection to phishing sites. Sensitive user data, such as login credentials or personal information stored within the application, could be exposed. The remote nature of the vulnerability means an attacker doesn't need local access to exploit it.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. The vulnerability is not currently listed on CISA KEV.
Organizations using the PHPGurukul Art Gallery Management System, particularly those with publicly accessible instances and limited security controls, are at risk. Shared hosting environments where multiple users share the same server are also particularly vulnerable, as an attacker could potentially compromise other users' accounts.
• php: Examine /search.php for unsanitized user input used in output.
if (isset($_GET['search'])) {
$search = $_GET['search'];
echo $search; // Vulnerable line - no sanitization
}• generic web: Check access logs for unusual requests to /search.php with suspicious parameters.
• generic web: Use curl to test the /search.php endpoint with various payloads (e.g., <script>alert('XSS')</script>).
disclosure
Statut de l'Exploit
EPSS
0.12% (percentile 30%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-2047 is to upgrade the Art Gallery Management System to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'search' parameter within the /search.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security rules to reflect the latest threat landscape.
Mettre à jour vers une version corrigée du système de gestion de galerie d'art. Si aucune version corrigée n'est disponible, assainir l'entrée du paramètre 'search' dans le fichier /search.php pour éviter l'exécution de code JavaScript malveillant.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-2047 is a cross-site scripting (XSS) vulnerability in PHPGurukul Art Gallery Management System versions 1.0-1.0, allowing attackers to inject malicious scripts via the /search.php file.
You are affected if you are using PHPGurukul Art Gallery Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'search' parameter in /search.php.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the PHPGurukul website or security mailing lists for the official advisory regarding CVE-2025-2047.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.