Client Details System
CVE-2025-12279
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in code-projects Client Details System 1.0. This vulnerability affects unknown code of the file /welcome.php. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
AnalysisAI
Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows remote attackers with high privileges and user interaction to inject malicious scripts via the /welcome.php file, resulting in limited integrity impact. The vulnerability has been publicly disclosed with exploit code available, though real-world exploitation is constrained by the requirement for high administrative privileges and user interaction, reflected in the exceptionally low CVSS score of 1.9 and EPSS probability of 0.03%.
Technical ContextAI
The vulnerability is a stored or reflected cross-site scripting (CWE-79) vulnerability in a PHP-based client management system. The /welcome.php endpoint fails to properly sanitize or encode user-supplied input before rendering it in HTML context. XSS vulnerabilities of this class allow attackers to inject arbitrary JavaScript that executes in the browsers of other users, potentially enabling session hijacking, credential theft, or malware distribution. The attack surface is the welcome page endpoint, which handles user-controlled input without adequate output encoding or Content Security Policy protections typical in web applications.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate patching is not recommended given the negligible CVSS score (1.9) and high privilege requirement. For organizations running Client Details System 1.0, implement compensating controls: restrict administrative access via network segmentation or VPN, enforce Content-Security-Policy headers (CSP: default-src 'self'; script-src 'self') to mitigate script injection impact, implement output encoding in the /welcome.php file by HTML-escaping all user-controlled variables before rendering them in HTML context, and deploy a Web Application Firewall (WAF) with XSS detection rules to block payloads containing script tags or event handlers. Monitor code-projects.org for security updates or consider evaluating alternative client management solutions if the software is no longer actively maintained. Patch when a security update becomes available or during the next scheduled major version upgrade.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today