Plataforma
php
Componente
multi-restaurant-table-reservation-system-search
Corrigido em
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Vehicle Management System versions 1.0 through 1.0. This vulnerability affects the /confirmbooking.php file, allowing attackers to inject malicious scripts via manipulation of the 'id' argument. The vulnerability is exploitable remotely and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-2377 allows an attacker to inject arbitrary JavaScript code into the Vehicle Management System. This could lead to session hijacking, defacement of the application, or redirection of users to malicious websites. The attacker could potentially steal sensitive information, such as user credentials or vehicle data, depending on the application's functionality and data handling practices. While the CVSS score is LOW, the ease of remote exploitation and potential for user interaction makes it a concerning issue, particularly for systems with limited security controls.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No specific KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and public disclosure. The vulnerability was published on 2025-03-17.
Organizations utilizing SourceCodester Vehicle Management System, particularly those with publicly accessible instances or those lacking robust input validation practices, are at risk. Shared hosting environments where multiple users share the same server are also at increased risk, as a compromised user account could be leveraged to exploit this vulnerability.
• php / web:
curl -I 'http://your-vehicle-management-system/confirmbooking.php?id=<script>alert(1)</script>' | grep -i 'content-type'• php / web: Examine /confirmbooking.php for lack of input validation on the 'id' parameter. • generic web: Monitor access logs for unusual requests to /confirmbooking.php with suspicious parameters.
disclosure
Status do Exploit
EPSS
0.09% (percentil 26%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-2377 is to upgrade to version 1.0.1 of the SourceCodester Vehicle Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /confirmbooking.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review and harden all other input points to prevent similar vulnerabilities.
Atualizar para uma versão corrigida do sistema de gestão de veículos. Se não houver uma versão corrigida disponível, sanitizar a entrada do parâmetro 'id' no arquivo confirmbooking.php para evitar a execução de código JavaScript malicioso. Utilizar funções de escape específicas para XSS ao exibir a entrada do usuário.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-2377 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Vehicle Management System versions 1.0–1.0. It allows attackers to inject malicious scripts via the /confirmbooking.php file.
You are affected if you are using SourceCodester Vehicle Management System version 1.0 or 1.0. Check your version and upgrade immediately if vulnerable.
Upgrade to version 1.0.1. If upgrading is not possible, implement input validation and output encoding on the /confirmbooking.php page.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the SourceCodester website or relevant security forums for the official advisory regarding CVE-2025-2377.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.