A problematic cross-site scripting (XSS) vulnerability has been identified in code-projects Blood Bank System, specifically within version 1.0. This flaw resides in the AB+.php file and can be exploited by manipulating the Bloodname argument. Successful exploitation allows remote attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability is fixed in version 1.0.1.
The XSS vulnerability in Blood Bank System allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit a page containing the injected script. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is particularly severe if the Blood Bank System handles sensitive patient data, as an attacker could potentially gain access to this information. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the system.
This vulnerability was publicly disclosed on 2025-03-06. A proof-of-concept exploit is likely to be available due to the public disclosure. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the ease of exploitation and potential impact warrant prompt remediation. No KEV listing or confirmed exploitation campaigns are currently known.
Organizations and individuals using the Blood Bank System version 1.0 are at risk. This includes healthcare providers, blood banks, and any entity relying on this system for managing blood-related data. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially exploit the vulnerability on one user's account to gain access to others.
• php / server:
grep -r "Bloodname = $_GET['Bloodname']" /var/www/html/• generic web:
curl -I http://your-blood-bank-system/AB+.php?Bloodname=<script>alert('XSS')</script>disclosure
漏洞利用状态
EPSS
0.12% (30% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-2049 is to upgrade to version 1.0.1 of the Blood Bank System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Bloodname parameter in AB+.php to sanitize user-supplied data. While not a complete solution, this can reduce the risk of successful exploitation. Additionally, consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security policies and conduct penetration testing to identify and address potential vulnerabilities.
升级到补丁版本或采取必要的安全措施以防止 XSS 代码执行。验证和清理用户输入,特别是 AB+.php 文件中的 Bloodname 参数。实施内容安全策略 (CSP) 以减轻 XSS 风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-2049 is a cross-site scripting (XSS) vulnerability in Blood Bank System version 1.0, allowing attackers to inject malicious scripts via the Bloodname parameter in AB+.php.
You are affected if you are using Blood Bank System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the Bloodname parameter.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2025-2049.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。