प्लेटफ़ॉर्म
php
घटक
cveproject
में ठीक किया गया
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Best Church Management Software versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the /admin/redirect.php file and can be exploited remotely. A fix is available in version 1.0.1.
Successful exploitation of CVE-2025-1597 enables an attacker to inject arbitrary JavaScript code into the Best Church Management Software application. This can be leveraged to steal user credentials, redirect users to malicious websites, or modify the application's behavior. The impact is particularly severe for administrative users, as their accounts could be compromised, granting the attacker full control over the church management system. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the affected system. While the CVSS score is LOW, the potential for data theft and system compromise warrants immediate attention.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge given the vulnerability's public disclosure. The vendor has not responded to early disclosure attempts, which may indicate a lack of responsiveness to security concerns.
Churches and religious organizations utilizing SourceCodester Best Church Management Software, particularly those running versions 1.0 through 1.0, are at risk. Organizations relying on this software for sensitive data management, such as member information and financial records, face a heightened risk of compromise.
• php: Examine access logs for requests to /admin/redirect.php with unusual or suspicious values in the a parameter.
grep "/admin/redirect.php?a=" /var/log/apache2/access.log | less• generic web: Use curl to test the /admin/redirect.php endpoint with a simple XSS payload (e.g., <script>alert(1)</script>).
curl 'http://example.com/admin/redirect.php?a=<script>alert(1)</script>'• generic web: Check response headers for signs of script injection or unexpected behavior.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.12% (31% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-1597 is to immediately upgrade to version 1.0.1 of Best Church Management Software. If upgrading is not immediately feasible, consider implementing strict input validation on the 'a' parameter within the /admin/redirect.php file to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review access logs for suspicious activity related to the /admin/redirect.php endpoint. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload via the 'a' parameter and verifying that it is properly sanitized.
Actualizar a una versión parcheada del software. Si no hay una versión parcheada disponible, se recomienda deshabilitar o eliminar el software hasta que se publique una solución. Validar y limpiar las entradas del usuario en el parámetro 'a' en el archivo /admin/redirect.php para prevenir la inyección de código malicioso.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-1597 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Best Church Management Software versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/redirect.php file.
You are affected if you are using SourceCodester Best Church Management Software version 1.0 or 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement strict input validation on the 'a' parameter in /admin/redirect.php.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation has not been confirmed, but is possible.
The vendor has not yet released an official advisory. Monitor the SourceCodester website and security forums for updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।