プラットフォーム
php
修正版
1.0.1
CVE-2025-1957 identifies a problematic cross-site scripting (XSS) vulnerability within the Blood Bank System, specifically affecting versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data integrity. A patch, version 1.0.1, has been released to address this vulnerability.
Successful exploitation of CVE-2025-1957 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the Blood Bank System's web interface. The attacker could potentially steal sensitive patient data or manipulate blood bank records, depending on the application's functionality and user privileges. Given the nature of XSS, the impact can be significant, particularly if the application handles sensitive information or is integrated with other systems.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the potential impact on sensitive data warrants immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. The vulnerability is not currently listed on the CISA KEV catalog.
Blood Bank Systems deployed with version 1.0 are directly at risk. Shared hosting environments where multiple applications share the same server resources are particularly vulnerable, as an attacker could potentially exploit this vulnerability to gain access to other applications on the same server. Organizations relying on this system for managing sensitive patient data are also at heightened risk.
• php / server:
grep -r "Bloodname" /BBfile/Blood/o+.php• generic web:
curl -I http://your-blood-bank-system/BBfile/Blood/o+.php?Bloodname=<script>alert(1)</script>disclosure
エクスプロイト状況
EPSS
0.12% (30% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-1957 is to immediately upgrade the Blood Bank System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Bloodname parameter within the /BBfile/Blood/o+.php file. This can help prevent malicious scripts from being injected. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the Bloodname parameter and verifying that it is properly sanitized or blocked.
Actualizar a una versión parcheada del sistema Blood Bank System. Si no hay una versión parcheada disponible, sanitizar las entradas del usuario, especialmente el parámetro Bloodname, para evitar la ejecución de código JavaScript malicioso. Implementar medidas de seguridad como la codificación de salida y la validación de entrada.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-1957 is a cross-site scripting (XSS) vulnerability in Blood Bank System versions 1.0–1.0, allowing attackers to inject malicious scripts.
Yes, if you are running Blood Bank System version 1.0–1.0, you are affected by this vulnerability.
Upgrade to version 1.0.1 or implement input validation and output encoding on the Bloodname parameter.
While no active campaigns are currently known, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the Blood Bank System project's official website or repository for the advisory related to CVE-2025-1957.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。