平台
php
组件
j0hn_upload_one
修复版本
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Job Recruitment version 1.0. This flaw resides within the /parse/loadjob-details.php file and allows attackers to inject malicious scripts. Affected users should upgrade to version 1.0.1 to address this security concern. The vulnerability was publicly disclosed on 2025-02-01.
Successful exploitation of CVE-2025-0961 allows an attacker to inject arbitrary JavaScript code into the application. This can lead to various malicious outcomes, including session hijacking, defacement of the Job Recruitment interface, and redirection of users to phishing sites. The attacker can leverage this to steal sensitive user data or compromise the integrity of the application. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the affected system.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No known active campaigns targeting this specific CVE have been reported as of the publication date. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure necessitates prompt remediation.
Organizations utilizing Job Recruitment version 1.0, particularly those with publicly accessible job posting interfaces, are at risk. Shared hosting environments where multiple applications share the same server resources are also at increased risk, as a compromise of one application could potentially lead to the exploitation of this vulnerability in others.
• php / web:
grep -r "load_job-details.php" /var/www/html/• php / web:
curl -I http://your-job-recruitment-site.com/_parse/load_job-details.php?business_stream_name=<script>alert(1)</script>• generic web:
curl -I http://your-job-recruitment-site.com/_parse/load_job-details.php?company_website_url=<script>alert(1)</script>disclosure
漏洞利用状态
EPSS
0.05% (16% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-0961 is to upgrade Job Recruitment to version 1.0.1, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing input validation and sanitization on the businessstreamname and companywebsiteurl parameters within the /parse/load_job-details.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Verify the upgrade by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the affected parameters after the upgrade.
Actualizar a una versión parcheada o aplicar una solución que filtre o escape correctamente las entradas de los parámetros 'business_stream_name' y 'company_website_url' en el archivo '/_parse/load_job-details.php' para prevenir la inyección de código XSS. Validar y limpiar las entradas del usuario es crucial. Si no hay una versión parcheada disponible, considere deshabilitar o eliminar la funcionalidad afectada hasta que se pueda aplicar una solución.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-0961 is a cross-site scripting (XSS) vulnerability in Job Recruitment version 1.0, affecting the /parse/loadjob-details.php file. It allows attackers to inject malicious scripts.
You are affected if you are using Job Recruitment version 1.0 and have not upgraded to version 1.0.1. The vulnerability resides in the /parse/loadjob-details.php file.
Upgrade Job Recruitment to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the affected parameters.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Prompt remediation is recommended.
Refer to the official Job Recruitment project website or repository for the advisory related to CVE-2025-0961.