प्लेटफ़ॉर्म
php
घटक
pocs
में ठीक किया गया
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in CampCodes DepEd Equipment Inventory System, specifically affecting version 1.0. This issue resides in the processing of the /data/add_employee.php file, enabling attackers to inject malicious scripts. The vulnerability has been publicly disclosed and poses a risk to systems running the affected version. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-0348 allows an attacker to inject arbitrary JavaScript code into the DepEd Equipment Inventory System. This code can then be executed in the context of a user's browser when they access the affected page. The attacker could potentially steal session cookies, redirect users to malicious websites, or deface the application. The impact is primarily focused on user interaction and data theft, but could be amplified if the system handles sensitive information or is integrated with other critical systems. While the CVSS score is LOW, the public disclosure and ease of exploitation make it a significant concern.
This vulnerability was publicly disclosed on 2025-01-09. A proof-of-concept exploit is likely available due to the public disclosure. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The LOW CVSS score suggests a lower probability of widespread exploitation, but the public availability of the vulnerability increases the risk.
Organizations and institutions utilizing the DepEd Equipment Inventory System version 1.0, particularly those with limited resources for immediate patching, are at risk. Shared hosting environments where multiple users share the same server and application code are also at increased risk, as a vulnerability in one application can potentially impact others.
• php / web:
grep -r "<script" /var/www/html/data/add_employee.php• generic web:
curl -I http://your-deped-inventory-system/data/add_employee.php | grep -i "X-XSS-Protection"disclosure
एक्सप्लॉइट स्थिति
EPSS
0.13% (33% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-0348 is to upgrade to version 1.0.1 of the DepEd Equipment Inventory System. This version contains a fix for the XSS vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on the /data/add_employee.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security configurations to minimize the attack surface.
DepEd Equipment Inventory System के पैच किए गए संस्करण में अपडेट करें। यदि कोई संस्करण उपलब्ध नहीं है, तो /data/add_employee.php फ़ाइल में उपयोगकर्ता इनपुट को सैनिटाइज़ करें ताकि दुर्भावनापूर्ण कोड इंजेक्शन से बचा जा सके। पृष्ठ पर प्रदर्शित करने से पहले डेटा को मान्य और एस्केप करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-0348 is a cross-site scripting (XSS) vulnerability affecting DepEd Equipment Inventory System version 1.0, allowing attackers to inject malicious scripts via the /data/add_employee.php file.
You are affected if you are using DepEd Equipment Inventory System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the /data/add_employee.php page.
While there are no confirmed reports of active exploitation, the public disclosure increases the likelihood of exploitation.
Refer to the CampCodes website or relevant security forums for the official advisory regarding CVE-2025-0348.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।