Plataforma
php
Corrigido em
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in the Human Metapneumovirus Testing Management System, specifically affecting version 1.0. This flaw allows attackers to inject malicious scripts through manipulation of the 'email' parameter within the admin profile page (/profile.php). The vulnerability has been publicly disclosed and a patch is available in version 1.0.1, addressing the issue.
Successful exploitation of CVE-2025-2375 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Human Metapneumovirus Testing Management System. This can lead to session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive user data, including personal information and potentially medical testing results, depending on the system's data handling practices. The impact is amplified if the system is used in a healthcare setting, where patient data confidentiality is paramount.
This vulnerability was publicly disclosed on 2025-03-17. A proof-of-concept exploit is likely available given the public disclosure. The CVSS score is LOW, suggesting that exploitation may require specific user interaction or a targeted attack. There is no indication of active exploitation campaigns at this time, but the public availability of the vulnerability increases the risk of opportunistic attacks.
Healthcare organizations and laboratories utilizing the Human Metapneumovirus Testing Management System are particularly at risk, as the system likely handles sensitive patient data. Administrators and users with access to the admin profile page are also directly exposed to the vulnerability.
• php: Examine /profile.php for improper input validation of the 'email' parameter. Search for instances where user input is directly outputted to the page without proper encoding.
• generic web: Monitor access logs for requests to /profile.php with unusual or suspicious parameters in the 'email' field. Look for patterns indicative of XSS attempts (e.g., <script>).
• generic web: Use curl to test the /profile.php endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>) and verify that the payload is not executed.
disclosure
Status do Exploit
EPSS
0.09% (percentil 25%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-2375 is to immediately upgrade the Human Metapneumovirus Testing Management System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'email' parameter in /profile.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /profile.php endpoint can provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the email field and verifying that the script is not executed.
Atualize o sistema de gestão de testes Human Metapneumovirus para uma versão corrigida ou implemente medidas de sanitização de entrada no arquivo profile.php, especificamente no argumento 'email', para prevenir ataques de Cross-Site Scripting (XSS). Valide e escape a entrada do usuário antes de exibi-la na página para evitar a execução de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-2375 is a cross-site scripting (XSS) vulnerability in Human Metapneumovirus Testing Management System version 1.0, allowing attackers to inject malicious scripts via the email parameter in /profile.php.
You are affected if you are running Human Metapneumovirus Testing Management System version 1.0. Upgrade to version 1.0.1 to resolve the issue.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'email' parameter in /profile.php.
There is no current indication of active exploitation, but the public disclosure increases the risk of opportunistic attacks.
Refer to the vendor's official website or security advisories for the most up-to-date information regarding CVE-2025-2375.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.