Platform
php
Component
pocs
Opgelost in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in CampCodes DepEd Equipment Inventory System, specifically affecting version 1.0. This issue resides in the processing of the /data/add_employee.php file, enabling attackers to inject malicious scripts. The vulnerability has been publicly disclosed and poses a risk to systems running the affected version. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-0348 allows an attacker to inject arbitrary JavaScript code into the DepEd Equipment Inventory System. This code can then be executed in the context of a user's browser when they access the affected page. The attacker could potentially steal session cookies, redirect users to malicious websites, or deface the application. The impact is primarily focused on user interaction and data theft, but could be amplified if the system handles sensitive information or is integrated with other critical systems. While the CVSS score is LOW, the public disclosure and ease of exploitation make it a significant concern.
This vulnerability was publicly disclosed on 2025-01-09. A proof-of-concept exploit is likely available due to the public disclosure. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The LOW CVSS score suggests a lower probability of widespread exploitation, but the public availability of the vulnerability increases the risk.
Organizations and institutions utilizing the DepEd Equipment Inventory System version 1.0, particularly those with limited resources for immediate patching, are at risk. Shared hosting environments where multiple users share the same server and application code are also at increased risk, as a vulnerability in one application can potentially impact others.
• php / web:
grep -r "<script" /var/www/html/data/add_employee.php• generic web:
curl -I http://your-deped-inventory-system/data/add_employee.php | grep -i "X-XSS-Protection"disclosure
Exploit Status
EPSS
0.13% (33% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-0348 is to upgrade to version 1.0.1 of the DepEd Equipment Inventory System. This version contains a fix for the XSS vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on the /data/add_employee.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security configurations to minimize the attack surface.
Actualiseer naar een gepatchte versie van het DepEd Equipment Inventory System. Indien er geen versie beschikbaar is, sanitiseer dan de gebruikersinvoer in het bestand /data/add_employee.php om de injectie van kwaadaardige code te voorkomen. Valideer en escape de data voordat deze op de pagina wordt weergegeven.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-0348 is a cross-site scripting (XSS) vulnerability affecting DepEd Equipment Inventory System version 1.0, allowing attackers to inject malicious scripts via the /data/add_employee.php file.
You are affected if you are using DepEd Equipment Inventory System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the /data/add_employee.php page.
While there are no confirmed reports of active exploitation, the public disclosure increases the likelihood of exploitation.
Refer to the CampCodes website or relevant security forums for the official advisory regarding CVE-2025-0348.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.