平台
php
修复版本
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in code-projects Real Estate Property Management System, affecting versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The issue resides within the /search.php file, specifically in an unknown function where the PropertyName argument is vulnerable. A fix is available in version 1.0.1.
Successful exploitation of CVE-2025-1196 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially steal sensitive information displayed within the Real Estate Property Management System, such as property details, user contact information, or financial data. The scope of impact depends on the privileges of the affected user; an administrator account compromise would grant the attacker extensive control over the system.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant prompt attention. No known active campaigns targeting this specific vulnerability have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing the Real Estate Property Management System, particularly those with publicly accessible instances and limited input validation measures, are at risk. Shared hosting environments where multiple users share the same server resources are also particularly vulnerable, as a compromise of one user's account could potentially impact others.
• php / web:
grep -r "PropertyName" /var/www/html/search.php | grep -i "<script"• generic web:
curl -I https://example.com/search.php?PropertyName=<script>alert(1)</script> | grep -i "alert(1)"disclosure
漏洞利用状态
EPSS
0.04% (12% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-1196 is to upgrade to version 1.0.1 of the Real Estate Property Management System. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the PropertyName parameter within the /search.php file. This can help prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies and conduct penetration testing to identify and address potential vulnerabilities.
Actualice el sistema Real Estate Property Management System a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión disponible, revise y filtre las entradas del parámetro PropertyName en el archivo /search.php para evitar la inyección de código malicioso. Considere implementar medidas de seguridad adicionales como la codificación de salida.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-1196 is a cross-site scripting (XSS) vulnerability in Real Estate Property Management System versions 1.0–1.0, allowing attackers to inject malicious scripts via the PropertyName parameter in /search.php.
You are affected if you are using Real Estate Property Management System version 1.0 or 1.0. Check your version and upgrade immediately if vulnerable.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the PropertyName parameter in /search.php.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the code-projects website or relevant security forums for the official advisory regarding CVE-2025-1196.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。