Client Details System
CVE-2025-12282
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in code-projects Client Details System 1.0. The affected element is an unknown function of the file /admin/manage-users.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used.
AnalysisAI
Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated users with high privileges to inject malicious scripts via the /admin/manage-users.php endpoint, which are then executed in the browsers of other users who interact with the managed user data. The vulnerability requires administrative privileges and user interaction (UI:P) to exploit, resulting in limited integrity impact (VI:L). Public exploit code is available, though the extremely low CVSS score (1.9) and EPSS probability (0.04%) reflect the high privilege barrier and user interaction requirement that significantly constrain real-world risk.
Technical ContextAI
The vulnerability is a reflected or stored XSS flaw (CWE-79) in the PHP-based user management interface. The /admin/manage-users.php file fails to properly sanitize user input before rendering it in web responses, allowing attackers to inject arbitrary HTML and JavaScript. This occurs in an administrative context where the attack vector is network-accessible but protection is provided by the requirement for high-privilege account access (PR:H) and user interaction (UI:P). The affected product is identified via CPE as cpe:2.3:a:fabian:client_details_system:1.0, indicating this is a custom project management application rather than a widely-deployed framework.
RemediationAI
No vendor-released patch identified at time of analysis. The primary mitigation is to upgrade to a patched version if available from the vendor (code-projects.org), or disable the /admin/manage-users.php functionality if not immediately needed. Immediate compensating controls include: implement Content Security Policy (CSP) headers with script-src restrictions to prevent injected JavaScript execution; apply input validation and HTML entity encoding to all user-supplied data rendered in the manage-users.php file, especially user names and profile fields; restrict administrative access to this interface via IP allowlisting or VPN requirement; audit admin account activity and session logs for unauthorized modifications; apply Web Application Firewall (WAF) rules to block payloads containing script tags or event handlers in parameters passed to /admin/manage-users.php. These controls carry minimal performance overhead but should be validated to ensure they do not break legitimate admin workflows.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today