プラットフォーム
php
修正版
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Blood Bank System versions 1.0 through 1.0. This flaw resides in the processing of the /admin/user.php file, specifically through manipulation of the 'email' argument. Successful exploitation allows for remote code execution, potentially compromising sensitive data and system integrity. The vulnerability has been publicly disclosed and a fix is available in version 1.0.1.
The XSS vulnerability in Blood Bank System allows an attacker to inject malicious scripts into web pages viewed by other users, particularly administrators accessing the /admin/user.php page. This can lead to session hijacking, defacement of the application, or redirection to malicious websites. An attacker could potentially steal administrator credentials, gain unauthorized access to the blood bank system's data, and manipulate patient records. The impact is amplified if the system is used in a shared hosting environment, as other applications on the same server could be at risk. While the CVSS score is LOW, the potential for data compromise and administrative control makes this a significant concern.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No known exploitation campaigns have been reported at the time of writing, but the availability of a public disclosure makes it a potential target. The CVSS score of 2.4 indicates a low probability of exploitation, but proactive mitigation is still recommended. No KEV listing is present.
Blood Bank System installations running versions 1.0 through 1.0 are directly at risk. Organizations utilizing shared hosting environments where Blood Bank System is deployed are particularly vulnerable, as a compromise could potentially impact other applications on the same server. Administrators of the Blood Bank System are at the highest risk due to their access to the /admin/user.php page.
• php: Examine web server access logs for requests to /admin/user.php with unusual characters or patterns in the email parameter. Use grep to search for suspicious input.
grep 'email=[^a-zA-Z0-9@._-]' /var/log/apache2/access.log• generic web: Use curl to test the /admin/user.php endpoint with a malicious payload in the email parameter and observe the response for signs of XSS.
curl 'http://<bloodbanksystem>/admin/user.php?email=<script>alert("XSS")</script>' -sdisclosure
エクスプロイト状況
EPSS
0.02% (6% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-1579 is to immediately upgrade Blood Bank System to version 1.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters in the 'email' parameter of the /admin/user.php endpoint. Input validation on the server-side, specifically sanitizing the 'email' parameter, can also help prevent XSS attacks. Monitor access logs for unusual activity related to the /admin/user.php endpoint, looking for requests with unexpected characters or patterns in the 'email' parameter.
Actualice a una versión parcheada del sistema Blood Bank System. Si no hay una versión disponible, revise y sanitize las entradas del parámetro 'email' en el archivo /admin/user.php para evitar la ejecución de código XSS. Considere deshabilitar temporalmente la funcionalidad afectada hasta que se pueda aplicar una solución.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-1579 is a cross-site scripting (XSS) vulnerability affecting Blood Bank System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/user.php file.
Yes, if you are running Blood Bank System version 1.0 or 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade Blood Bank System to version 1.0.1 or later. As a temporary workaround, implement a WAF rule to filter suspicious characters in the 'email' parameter.
While no active exploitation campaigns have been confirmed, the public disclosure of this vulnerability increases the risk of exploitation. Proactive mitigation is recommended.
Please refer to the Blood Bank System project's official website or repository for the advisory related to CVE-2025-1579.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。