プラットフォーム
php
コンポーネント
my-cves
修正版
1.0.1
CVE-2025-0538 is a problematic cross-site scripting (XSS) vulnerability discovered in the Tourism Management System. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. It impacts versions 1.0 through 1.0 and has been addressed in version 1.0.1.
Successful exploitation of CVE-2025-0538 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information, such as session cookies, redirect users to malicious websites, or modify the content displayed on the Tourism Management System. The attack can be launched remotely, increasing the potential attack surface. The impact is amplified if the system is used to manage sensitive user data or financial transactions, as attackers could potentially gain unauthorized access to this information.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date (2025-01-17). No KEV listing is currently available.
Administrators and users of the Tourism Management System are at risk, particularly those who rely on the system to manage sensitive data or financial information. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a successful attack could potentially compromise other websites hosted on the same server.
• wordpress / composer / npm:
grep -r "pgedetails" /admin/manage-pages.php• generic web:
curl -I http://your-tourism-management-system.com/admin/manage-pages.php?pgedetails=<script>alert(1)</script>disclosure
エクスプロイト状況
EPSS
0.21% (43% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-0538 is to upgrade the Tourism Management System to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the pgedetails parameter within the /admin/manage-pages.php file. This can help prevent malicious scripts from being injected. Additionally, implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting this specific endpoint. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the pgedetails parameter and verifying that it is properly sanitized.
Actualice el sistema Tourism Management System a una versión parcheada que solucione la vulnerabilidad XSS en el archivo manage-pages.php. Si no hay una versión parcheada disponible, revise y filtre cuidadosamente las entradas del parámetro pgedetails para evitar la inyección de código malicioso. Considere implementar validación y sanitización de datos en el lado del servidor para mitigar el riesgo.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-0538 is a cross-site scripting (XSS) vulnerability affecting Tourism Management System versions 1.0 through 1.0. It allows attackers to inject malicious scripts via the /admin/manage-pages.php file.
You are affected if you are using Tourism Management System version 1.0 or 1.0. Upgrade to version 1.0.1 or later to resolve the vulnerability.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the pgedetails parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the Tourism Management System's official website or security advisory page for the latest information and updates regarding CVE-2025-0538.