PHPGurukul Curfew e-Pass CVE-2025-12303
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in PHPGurukul Curfew e-Pass Management System 1.0. The impacted element is an unknown function of the file admin-profile.php. Executing a manipulation of the argument adminname/email can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in PHPGurukul Curfew e-Pass Management System 1.0 allows authenticated high-privilege users to inject malicious scripts via the adminname or email parameters in admin-profile.php, affecting user interface integrity and enabling credential theft or malware delivery. The vulnerability requires high-privilege access and user interaction (UI:P), resulting in a CVSS score of 1.9 despite network accessibility. Public exploit code exists but exploitation probability is exceptionally low (EPSS 0.03%, 9th percentile), suggesting this is primarily a demonstration or proof-of-concept rather than an active threat.
Technical ContextAI
The vulnerability is a classic stored cross-site scripting (CWE-79) flaw in a PHP-based web application. The admin-profile.php script fails to properly sanitize or escape user-supplied input in the adminname and email parameters before storing or rendering them in HTML context. When an admin user modifies their profile with specially crafted JavaScript payloads, the application stores and subsequently displays these payloads without HTML encoding, allowing execution within the browser of any user viewing that profile. The attack surface is limited to authenticated administrative functions, and the payload executes only when the victim's browser renders the page containing the malicious input.
RemediationAI
Apply input validation and output encoding to the adminname and email parameters in admin-profile.php. Use HTML entity encoding (htmlspecialchars() or htmlentities() in PHP) for all user-supplied data before rendering in HTML context, or implement a whitelist of allowed characters for these fields. If an updated version of Curfew e-Pass Management System is available from PHPGurukul, upgrade immediately; however, no patched version is currently documented in available sources. As an interim compensating control, restrict access to the admin profile editing function to only trusted administrators and implement Content Security Policy (CSP) headers to restrict inline script execution. Note: Restricting admin panel access may impact administrative workflow but significantly reduces exposure. Review admin-profile.php code for similar injection vulnerabilities in other parameters.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today