PHPGurukul Curfew e-Pass CVE-2025-12312
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in PHPGurukul Curfew e-Pass Management System 1.0. Impacted is an unknown function of the file view-pass-detail.php. This manipulation of the argument Fullname/Category causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used.
AnalysisAI
Reflected cross-site scripting in PHPGurukul Curfew e-Pass Management System 1.0 allows authenticated high-privilege users to inject malicious scripts via the Fullname or Category parameters in view-pass-detail.php, exploitable only when a victim with sufficient privileges views a crafted link. The CVSS score of 1.9 reflects severe exploitation constraints: high privilege requirement, user interaction dependency, and limited impact scope, despite a public exploit being available.
Technical ContextAI
The vulnerability exploits improper input validation in the view-pass-detail.php endpoint, a common weakness in PHP web applications that fail to sanitize or encode user-supplied data before rendering it in HTML context. CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: the Fullname and Category parameters are reflected in the HTTP response without HTML entity encoding or context-aware output encoding. This is a reflected XSS variant that requires the victim to click a malicious link, distinguishing it from stored XSS which would have broader impact. The affected product (PHPGurukul Curfew e-Pass Management System 1.0, CPE: cpe:2.3:a:phpgurukul:curfew_e-pass_management_system:1.0) is a PHP-based access control or credential management system commonly used in educational or institutional settings.
RemediationAI
No vendor-released patch has been identified at the time of analysis. Immediate mitigation requires applying output encoding to the Fullname and Category parameters in view-pass-detail.php: use htmlspecialchars() or similar functions to convert special characters (e.g., <, >, &, ", ') to HTML entities before rendering in HTML context. For example, replace echo $Fullname with echo htmlspecialchars($Fullname, ENT_QUOTES, 'UTF-8'). Additionally, implement Content Security Policy (CSP) headers (e.g., Content-Security-Policy: default-src 'self'; script-src 'self') to restrict inline script execution and mitigate XSS impact even if encoding is bypassed. If available, upgrade PHPGurukul Curfew e-Pass Management System to a newer version after confirming it patches this vulnerability. If no patch exists, restrict access to view-pass-detail.php via network-level controls (e.g., IP whitelisting, VPN-only access) to reduce the number of high-privilege users who can be socially engineered into clicking malicious links. Monitor for unusual activity such as high-privilege accounts accessing the system via unexpected geographic locations or at unusual times, which may indicate compromised credentials.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today