Simple E-Banking System
CVE-2025-12244
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in code-projects Simple E-Banking System 1.0. This affects an unknown part of the file /eBank/register.php. Executing manipulation of the argument Username can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
Reflected cross-site scripting (XSS) in Simple E-Banking System 1.0 allows remote attackers to inject malicious scripts via the Username parameter in /eBank/register.php. The vulnerability requires user interaction (clicking a malicious link) but has low impact on confidentiality and integrity. Publicly available exploit code exists, though EPSS scoring (0.03%, 10th percentile) suggests limited real-world exploitation despite XSS being a common attack vector.
Technical ContextAI
The vulnerability exists in the register.php file of a PHP-based e-banking application where user-supplied input (Username parameter) is reflected in HTTP responses without proper sanitization or encoding. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause - the application fails to use appropriate output encoding functions (such as htmlspecialchars() or similar) before displaying the Username value back to the user's browser. This allows an attacker to inject arbitrary HTML and JavaScript that executes in the victim's session context. The reflected nature means the payload must be delivered via a crafted URL, requiring the victim to visit the malicious link.
RemediationAI
Update Simple E-Banking System to a patched version if available from the vendor at code-projects.org. If no patch is released, immediately apply output encoding to the Username parameter in /eBank/register.php using htmlspecialchars($_GET['Username'], ENT_QUOTES, 'UTF-8') before displaying it in HTML context, or use a templating engine with automatic escaping. Additionally, implement Content Security Policy (CSP) headers with script-src 'self' to reduce XSS impact even if input encoding is bypassed. Consider implementing HTML input validation to reject or strip suspicious characters, though encoding is the primary defense. For defense-in-depth, deploy a Web Application Firewall (WAF) with XSS detection rules, though this adds operational overhead for a low-impact vulnerability.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today