PHPGurukul Curfew e-Pass Management System CVE-2025-12311
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in PHPGurukul Curfew e-Pass Management System 1.0. This issue affects some unknown processing of the file edit-category-detail.php. The manipulation of the argument catname results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used.
AnalysisAI
Stored or reflected cross-site scripting (XSS) in PHPGurukul Curfew e-Pass Management System 1.0 allows authenticated users with high privileges to inject malicious scripts via the catname parameter in edit-category-detail.php, affecting application integrity with low severity (CVSS 1.9, EPSS 0.03%). Publicly available exploit code exists; however, exploitation requires user interaction and high-level administrative credentials, significantly limiting real-world attack surface.
Technical ContextAI
The vulnerability exists in a PHP-based web application for managing curfew e-pass systems. The affected component is the edit-category-detail.php file, which processes user input from the catname parameter without proper sanitization or output encoding. This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw where untrusted user input is reflected or stored in the web application's response without validation. The attack vector is network-based (AV:N), exploitable with low complexity (AC:L) through standard HTTP requests, though it requires high-privilege user interaction (PR:H/UI:P) to trigger. The lack of input validation in the PHP backend allows an attacker to embed arbitrary JavaScript code that executes in the context of other users' browsers.
RemediationAI
No vendor-released patch version has been identified at the time of analysis. Immediate remediation should focus on input validation and output encoding. Implement server-side input validation to reject or sanitize the catname parameter, rejecting any input containing HTML/JavaScript special characters (<, >, ", ', etc.) or using a whitelist of allowed characters. Apply output encoding using PHP's htmlspecialchars() or equivalent context-aware encoding before rendering the catname value in edit-category-detail.php. As a temporary compensating control, restrict access to edit-category-detail.php and category management functions to a minimal set of trusted administrators, and disable the category editing feature entirely if not actively required. Organizations should contact PHPGurukul at https://phpgurukul.com/ to request a security patch. Vulnerability details and advisory information are documented at https://vuldb.com/?id.329983.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today