Platform
php
Component
multi-restaurant-table-reservation-system-search
Opgelost in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Vehicle Management System versions 1.0 through 1.0. This vulnerability affects the /confirmbooking.php file, allowing attackers to inject malicious scripts via manipulation of the 'id' argument. The vulnerability is exploitable remotely and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-2377 allows an attacker to inject arbitrary JavaScript code into the Vehicle Management System. This could lead to session hijacking, defacement of the application, or redirection of users to malicious websites. The attacker could potentially steal sensitive information, such as user credentials or vehicle data, depending on the application's functionality and data handling practices. While the CVSS score is LOW, the ease of remote exploitation and potential for user interaction makes it a concerning issue, particularly for systems with limited security controls.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No specific KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and public disclosure. The vulnerability was published on 2025-03-17.
Organizations utilizing SourceCodester Vehicle Management System, particularly those with publicly accessible instances or those lacking robust input validation practices, are at risk. Shared hosting environments where multiple users share the same server are also at increased risk, as a compromised user account could be leveraged to exploit this vulnerability.
• php / web:
curl -I 'http://your-vehicle-management-system/confirmbooking.php?id=<script>alert(1)</script>' | grep -i 'content-type'• php / web: Examine /confirmbooking.php for lack of input validation on the 'id' parameter. • generic web: Monitor access logs for unusual requests to /confirmbooking.php with suspicious parameters.
disclosure
Exploit Status
EPSS
0.09% (26% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-2377 is to upgrade to version 1.0.1 of the SourceCodester Vehicle Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /confirmbooking.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and harden all other input points to prevent similar vulnerabilities.
Actualiseer naar een gepatchte versie van het voertuigbeheersysteem. Indien er geen gepatchte versie beschikbaar is, sanitiseer de invoer van de parameter 'id' in het bestand confirmbooking.php om de uitvoering van kwaadaardige JavaScript-code te voorkomen. Gebruik XSS-specifieke escape-functies bij het weergeven van gebruikersinvoer.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-2377 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Vehicle Management System versions 1.0–1.0. It allows attackers to inject malicious scripts via the /confirmbooking.php file.
You are affected if you are using SourceCodester Vehicle Management System version 1.0 or 1.0. Check your version and upgrade immediately if vulnerable.
Upgrade to version 1.0.1. If upgrading is not possible, implement input validation and output encoding on the /confirmbooking.php page.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the SourceCodester website or relevant security forums for the official advisory regarding CVE-2025-2377.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.