平台
php
组件
online-bike-rental
修复版本
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Online Bike Rental versions 1.0 through 1.0. This flaw resides within the /vehical-details.php file, specifically impacting the HTTP GET Request Handler. Successful exploitation allows remote attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability is resolved in version 1.0.1.
The XSS vulnerability in Online Bike Rental allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the application handles sensitive data or is integrated with other systems, as the attacker could potentially gain access to this data or use the compromised application as a launchpad for further attacks. While the CVSS score is LOW, the potential for user compromise and data theft remains a significant concern.
CVE-2025-0339 was publicly disclosed on 2025-01-09. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's LOW CVSS score suggests a lower probability of active exploitation, but diligent monitoring is still recommended. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using Online Bike Rental version 1.0 are at risk. Shared hosting environments where multiple users share the same server are particularly vulnerable, as an attacker could potentially compromise the entire server if they successfully exploit the vulnerability on one user's account.
• php / web:
curl -I 'http://your-bike-rental-site.com/vehical-details.php?param=<script>alert(1)</script>' | grep HTTP/1.1• php / web: Examine /vehical-details.php for lack of input sanitization or output encoding on user-supplied parameters. • generic web: Monitor access logs for unusual GET requests to /vehical-details.php containing suspicious characters like <script> or onerror.
disclosure
漏洞利用状态
EPSS
0.17% (38% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-0339 is to upgrade Online Bike Rental to version 1.0.1 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the /vehical-details.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security rules to reflect the latest threat landscape.
升级到补丁版本或采取必要的安全措施以避免 XSS 代码注入。在 /vehical-details.php 文件中正确验证和转义用户输入,尤其是在 HTTP GET 请求处理程序中。实施内容安全策略 (Content Security Policy, CSP) 以减轻 XSS 风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-0339 is a cross-site scripting (XSS) vulnerability affecting Online Bike Rental versions 1.0 through 1.0, allowing attackers to inject malicious scripts via the /vehical-details.php file.
You are affected if you are using Online Bike Rental version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 or later. As a temporary measure, implement input validation and output encoding on the /vehical-details.php page.
No active exploitation has been confirmed at this time, but diligent monitoring is recommended.
Refer to the Online Bike Rental project's official website or repository for the latest security advisories and updates.