プラットフォーム
php
コンポーネント
irifyscanresult
修正版
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Web-based Pharmacy Product Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the add-admin.php file, specifically within the handling of the txtpassword, txtfullname, and txtemail parameters. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-3821 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. An attacker could potentially steal sensitive pharmacy data, such as patient information or prescription details, if the application handles such data. The impact is amplified if the system is used in a shared hosting environment, as a compromised instance could potentially affect other applications hosted on the same server.
This vulnerability was publicly disclosed on 2025-04-20. A proof-of-concept exploit is likely available due to the public disclosure. The CVSS score is LOW (2.4), suggesting that exploitation may require specific user interaction or a targeted attack. There is no indication of active exploitation campaigns or inclusion in the CISA KEV catalog at this time.
Pharmacies and healthcare providers utilizing the SourceCodester Web-based Pharmacy Product Management System, particularly those running version 1.0, are at risk. Organizations relying on this system for managing patient data or prescription information are especially vulnerable. Shared hosting environments where multiple applications are hosted on the same server are also at increased risk, as a compromise of one application could potentially impact others.
• php / web:
grep -r "txtpassword.*txtemail" /var/www/html/add-admin.php• generic web:
curl -I http://your-pharmacy-system/add-admin.php?txtpassword=<script>alert(1)</script>• generic web:
grep -A 10 "add-admin.php" /var/log/apache2/access.log | grep "txtpassword.*txtemail"disclosure
エクスプロイト状況
EPSS
0.17% (38% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-3821 is to upgrade to version 1.0.1 of the Web-based Pharmacy Product Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the txtpassword, txtfullname, and txtemail parameters within the add-admin.php file. Web application firewalls (WAFs) configured with rules to detect and block XSS payloads targeting these parameters can provide an additional layer of defense. Review and sanitize all user-supplied input before rendering it in the application's output.
Actualizar a una versión parcheada del sistema. Si no hay una versión disponible, sanitizar las entradas de los campos txtpassword, txtfullname y txtemail en el archivo add-admin.php para evitar la ejecución de código JavaScript malicioso.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-3821 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Web-based Pharmacy Product Management System versions 1.0-1.0, allowing attackers to inject malicious scripts via parameters in the add-admin.php file.
You are affected if you are using SourceCodester Web-based Pharmacy Product Management System version 1.0. Upgrade to version 1.0.1 to resolve the issue.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on vulnerable parameters.
While there's no confirmed active exploitation, a proof-of-concept is likely available due to the public disclosure, making exploitation possible.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2025-3821.