Simple Stock System
CVE-2025-14962
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in code-projects Simple Stock System 1.0. The impacted element is an unknown function of the file /market/chatuser.php. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in Simple Stock System 1.0 via the /market/chatuser.php endpoint allows remote attackers to inject malicious scripts without authentication. User interaction is required for payload execution. Publicly available exploit code exists; EPSS score of 0.08% indicates low statistical exploitation probability despite XSS classification.
Technical ContextAI
Simple Stock System 1.0, a PHP-based inventory management application, fails to properly sanitize user input in the /market/chatuser.php file before rendering it in web responses. This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the standard category for reflected or stored XSS flaws. The attack vector is network-based (AV:N) with low complexity (AC:L), requiring only that a victim click a malicious link or visit a compromised page containing the injected payload. The low CVSS score (2.1) and minimal EPSS percentile (23%) reflect the requirement for user interaction (UI:P) and limited impact scope, though XSS can enable credential theft, session hijacking, or malware delivery depending on the application's role in the target environment.
RemediationAI
No vendor-released patch or upgraded version has been identified at time of analysis. Immediate remediation requires either upgrading to a patched version from the vendor (if available) or discontinuing use of Simple Stock System 1.0 and migrating to a maintained alternative. As interim compensating controls, implement HTML output encoding/escaping in the /market/chatuser.php file by applying PHP's htmlspecialchars() or htmlentities() functions to all user-supplied input before rendering in HTML contexts; validate and sanitize chat input using allowlists (e.g., permit only alphanumeric characters and select punctuation); deploy a Content Security Policy (CSP) header restricting inline script execution (Content-Security-Policy: default-src 'self'; script-src 'self') to limit XSS payload effectiveness even if injected; and monitor application logs for unusual characters in chatuser.php requests (e.g., <, >, quotes) that may indicate injection attempts. Note: CSP is a detective/preventive control and does not eliminate the vulnerability. The absence of vendor activity suggests this project may be unmaintained - security teams should plan migration timelines accordingly.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today