Client Details System
CVE-2025-12281
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in code-projects Client Details System 1.0. Impacted is an unknown function of the file /admin/clientview.php. Executing manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated high-privilege users to inject malicious scripts into the /admin/clientview.php endpoint that execute in the context of other users' browsers. The vulnerability requires user interaction (victim must view affected content) and high administrative privileges to exploit, limiting real-world risk despite public exploit disclosure. EPSS score of 0.03% reflects the stringent authentication and interaction requirements that prevent widespread automated exploitation.
Technical ContextAI
The vulnerability is a cross-site scripting (CWE-79) flaw in a PHP-based web application. The affected endpoint /admin/clientview.php in the Client Details System (CPE: cpe:2.3:a:fabian:client_details_system:1.0:*:*:*:*:*:*:*) fails to properly sanitize user-supplied input before rendering it in HTML responses. The CVSS vector indicates the attack requires network access (AV:N) but mandates high privilege level (PR:H) and user interaction (UI:P), suggesting the vulnerability exists in an administrative interface where only trusted high-privilege accounts can inject payloads, but those payloads will execute when viewed by other users. The low integrity impact (VI:L) indicates the XSS is limited to client-side effects rather than server-side compromise.
RemediationAI
Upgrade to a patched version if the vendor has released one; vendor patch information is not available in the current disclosure data. Immediate mitigations for organizations unable to upgrade: (1) Implement strict input validation and output encoding in /admin/clientview.php - all user-supplied data must be HTML-encoded before rendering in responses; this neutralizes script injection at the source. (2) Apply a Web Application Firewall (WAF) rule to block requests containing script tags or event handlers in the clientview endpoint parameters - trade-off is potential false positives if legitimate use cases include special characters. (3) Restrict /admin/clientview.php access to a whitelist of specific IP addresses or require additional authentication layers (multi-factor authentication on admin accounts) - prevents credential compromise attacks from escalating to XSS injection. (4) Disable or remove the Client Details System if it is not actively used; this eliminates attack surface entirely. Contact the vendor at the code-projects.org domain to request a security patch if one has been released.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today