SourceCodester Best Church Management Software redirect.php cross site scripting
wordt vertaald…Platform
php
Component
cveproject
Opgelost in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Best Church Management Software versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the /admin/redirect.php file and can be exploited remotely. A fix is available in version 1.0.1.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2025-1597 enables an attacker to inject arbitrary JavaScript code into the Best Church Management Software application. This can be leveraged to steal user credentials, redirect users to malicious websites, or modify the application's behavior. The impact is particularly severe for administrative users, as their accounts could be compromised, granting the attacker full control over the church management system. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the affected system. While the CVSS score is LOW, the potential for data theft and system compromise warrants immediate attention.
Uitbuitingscontextwordt vertaald…
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge given the vulnerability's public disclosure. The vendor has not responded to early disclosure attempts, which may indicate a lack of responsiveness to security concerns.
Wie Loopt Risicowordt vertaald…
Churches and religious organizations utilizing SourceCodester Best Church Management Software, particularly those running versions 1.0 through 1.0, are at risk. Organizations relying on this software for sensitive data management, such as member information and financial records, face a heightened risk of compromise.
Detectiestappenwordt vertaald…
• php: Examine access logs for requests to /admin/redirect.php with unusual or suspicious values in the a parameter.
grep "/admin/redirect.php?a=" /var/log/apache2/access.log | less• generic web: Use curl to test the /admin/redirect.php endpoint with a simple XSS payload (e.g., <script>alert(1)</script>).
curl 'http://example.com/admin/redirect.php?a=<script>alert(1)</script>'• generic web: Check response headers for signs of script injection or unexpected behavior.
Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.12% (31% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-1597 is to immediately upgrade to version 1.0.1 of Best Church Management Software. If upgrading is not immediately feasible, consider implementing strict input validation on the 'a' parameter within the /admin/redirect.php file to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review access logs for suspicious activity related to the /admin/redirect.php endpoint. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload via the 'a' parameter and verifying that it is properly sanitized.
Hoe te verhelpenwordt vertaald…
Actualizar a una versión parcheada del software. Si no hay una versión parcheada disponible, se recomienda deshabilitar o eliminar el software hasta que se publique una solución. Validar y limpiar las entradas del usuario en el parámetro 'a' en el archivo /admin/redirect.php para prevenir la inyección de código malicioso.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-1597 — XSS in Best Church Management Software?
CVE-2025-1597 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Best Church Management Software versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/redirect.php file.
Am I affected by CVE-2025-1597 in Best Church Management Software?
You are affected if you are using SourceCodester Best Church Management Software version 1.0 or 1.0. Upgrade to version 1.0.1 to mitigate the risk.
How do I fix CVE-2025-1597 in Best Church Management Software?
Upgrade to version 1.0.1. As a temporary workaround, implement strict input validation on the 'a' parameter in /admin/redirect.php.
Is CVE-2025-1597 being actively exploited?
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation has not been confirmed, but is possible.
Where can I find the official Best Church Management Software advisory for CVE-2025-1597?
The vendor has not yet released an official advisory. Monitor the SourceCodester website and security forums for updates.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.