प्लेटफ़ॉर्म
php
घटक
employee-management-xss
में ठीक किया गया
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in the Employee Profile Management System, specifically affecting version 1.0. This flaw allows attackers to inject malicious scripts through manipulation of arguments within the /view_personnel.php file. Successful exploitation can lead to unauthorized access and data theft, impacting user accounts and sensitive information.
The XSS vulnerability in Employee Profile Management System allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the application. An attacker could potentially gain access to sensitive employee data, including personal information, contact details, and potentially financial records, depending on the application's functionality. The impact is amplified if the application is used to manage highly sensitive employee data or if it integrates with other critical systems.
A public proof-of-concept (PoC) for this vulnerability is available, indicating a potential for widespread exploitation. The vulnerability was disclosed on 2025-12-07. While the CVSS score is LOW, the availability of a PoC increases the risk of exploitation, particularly if the system is publicly accessible. No KEV listing or confirmed exploitation campaigns are currently known.
Organizations utilizing the Employee Profile Management System version 1.0, particularly those with publicly accessible instances or those lacking robust input validation practices, are at significant risk. Shared hosting environments where multiple users share the same server resources are also vulnerable, as an attacker could potentially exploit the vulnerability through another user's account.
• generic web:
curl -I 'https://example.com/view_personnel.php?per_address=<script>alert(1)</script>' | grep -i 'content-type: text/html'• generic web:
curl 'https://example.com/view_personnel.php?per_address=<script>alert(1)</script>' | grep -o '<[^>]*>' | grep -q 'script'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.04% (11% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-14194 is to upgrade to a patched version of the Employee Profile Management System. If upgrading immediately is not possible, consider implementing input validation and output encoding on the /view_personnel.php endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to filter out malicious script injections. Regularly review and update security policies to prevent future XSS vulnerabilities.
Actualizar a una versión parcheada del sistema de gestión de perfiles de empleados. Contacte al proveedor para obtener una versión corregida o aplique las medidas de seguridad necesarias para evitar la inyección de código malicioso a través de los parámetros per_address, dr_school y other_school en el archivo view_personnel.php.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-14194 is a cross-site scripting (XSS) vulnerability affecting Employee Profile Management System version 1.0, allowing attackers to inject malicious scripts via manipulated arguments in /view_personnel.php.
If you are using Employee Profile Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the Employee Profile Management System. As a temporary workaround, implement input validation and output encoding on the vulnerable endpoint.
While no confirmed exploitation campaigns are currently known, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the official Employee Profile Management System website or security announcements for the latest advisory regarding CVE-2025-14194.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।