Plateforme
php
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in code-projects Blood Bank System, specifically within version 1.0. This flaw resides in the AB+.php file and can be exploited by manipulating the Bloodname argument. Successful exploitation allows remote attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability is fixed in version 1.0.1.
The XSS vulnerability in Blood Bank System allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit a page containing the injected script. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is particularly severe if the Blood Bank System handles sensitive patient data, as an attacker could potentially gain access to this information. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the system.
This vulnerability was publicly disclosed on 2025-03-06. A proof-of-concept exploit is likely to be available due to the public disclosure. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the ease of exploitation and potential impact warrant prompt remediation. No KEV listing or confirmed exploitation campaigns are currently known.
Organizations and individuals using the Blood Bank System version 1.0 are at risk. This includes healthcare providers, blood banks, and any entity relying on this system for managing blood-related data. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially exploit the vulnerability on one user's account to gain access to others.
• php / server:
grep -r "Bloodname = $_GET['Bloodname']" /var/www/html/• generic web:
curl -I http://your-blood-bank-system/AB+.php?Bloodname=<script>alert('XSS')</script>disclosure
Statut de l'Exploit
EPSS
0.12% (percentile 30%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-2049 is to upgrade to version 1.0.1 of the Blood Bank System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Bloodname parameter in AB+.php to sanitize user-supplied data. While not a complete solution, this can reduce the risk of successful exploitation. Additionally, consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security policies and conduct penetration testing to identify and address potential vulnerabilities.
Mettre à jour vers une version corrigée ou appliquer les mesures de sécurité nécessaires pour éviter l'exécution de code XSS. Valider et nettoyer les entrées utilisateur, en particulier le paramètre Bloodname dans le fichier AB+.php. Implémenter une politique de sécurité de contenu (CSP) pour atténuer les risques de XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-2049 is a cross-site scripting (XSS) vulnerability in Blood Bank System version 1.0, allowing attackers to inject malicious scripts via the Bloodname parameter in AB+.php.
You are affected if you are using Blood Bank System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the Bloodname parameter.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-2049.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.