Platform
php
Opgelost in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Art Gallery Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the /search.php file and can be triggered by manipulating the 'search' argument. A fix is available in version 1.0.1.
Successful exploitation of CVE-2025-2047 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, defacement of the Art Gallery Management System's web pages, and redirection to phishing sites. Sensitive user data, such as login credentials or personal information stored within the application, could be exposed. The remote nature of the vulnerability means an attacker doesn't need local access to exploit it.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. The vulnerability is not currently listed on CISA KEV.
Organizations using the PHPGurukul Art Gallery Management System, particularly those with publicly accessible instances and limited security controls, are at risk. Shared hosting environments where multiple users share the same server are also particularly vulnerable, as an attacker could potentially compromise other users' accounts.
• php: Examine /search.php for unsanitized user input used in output.
if (isset($_GET['search'])) {
$search = $_GET['search'];
echo $search; // Vulnerable line - no sanitization
}• generic web: Check access logs for unusual requests to /search.php with suspicious parameters.
• generic web: Use curl to test the /search.php endpoint with various payloads (e.g., <script>alert('XSS')</script>).
disclosure
Exploit Status
EPSS
0.12% (30% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-2047 is to upgrade the Art Gallery Management System to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'search' parameter within the /search.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security rules to reflect the latest threat landscape.
Actualiseer naar een gepatchte versie van het galerijbeheersysteem. Indien er geen gepatchte versie beschikbaar is, sanitiseer de invoer van de parameter 'search' in het bestand /search.php om de uitvoering van kwaadaardige JavaScript-code te voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-2047 is a cross-site scripting (XSS) vulnerability in PHPGurukul Art Gallery Management System versions 1.0-1.0, allowing attackers to inject malicious scripts via the /search.php file.
You are affected if you are using PHPGurukul Art Gallery Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'search' parameter in /search.php.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the PHPGurukul website or security mailing lists for the official advisory regarding CVE-2025-2047.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.