Client Details System
CVE-2025-12280
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Client Details System 1.0. This issue affects some unknown processing of the file /update-clients.php. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
AnalysisAI
Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows high-privileged authenticated users to inject malicious scripts via the /update-clients.php endpoint, requiring user interaction to execute. The vulnerability carries a low CVSS score of 1.9 due to high privilege requirements (PR:H) and mandatory user interaction (UI:P), but publicly available exploit code exists, making it actionable for insider threats or social engineering scenarios targeting administrators.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in a PHP-based client management application. The /update-clients.php endpoint fails to properly sanitize or encode user-supplied input before rendering it in HTTP responses, allowing an attacker to inject arbitrary JavaScript code. The affected product is a custom web application (CPE: cpe:2.3:a:fabian:client_details_system:1.0) used for managing client details. XSS vulnerabilities of this class typically arise from inadequate output encoding or input validation in server-side rendering contexts, enabling attackers to execute scripts in victims' browsers under the application's security context.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires upgrading to a patched version if the vendor (code-projects/Fabian) has released one; consult the project repository at https://code-projects.org/ for update availability. If no patch is available, implement compensating controls: (1) Apply strict input validation and HTML entity encoding to all user inputs in /update-clients.php, specifically encoding special characters (<, >, ", ') before rendering in HTML context; (2) Implement Content Security Policy (CSP) headers (e.g., default-src 'self'; script-src 'self') to restrict inline script execution; (3) Restrict administrative access to /update-clients.php via IP whitelisting or VPN gating, reducing the user population capable of triggering the vulnerability; (4) Enable HTTP-only and secure flags on session cookies to prevent script-based session theft. These controls mitigate the XSS payload execution at the cost of reduced administrative flexibility and require ongoing monitoring for bypass techniques.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today