Campcodes Complete Online Beauty Parlor Management System CVE-2025-14991
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in Campcodes Complete Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/bwdates-reports-details.php. Executing a manipulation of the argument fromdate can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
AnalysisAI
Stored or reflected cross-site scripting (XSS) in Campcodes Complete Online Beauty Parlor Management System 1.0 allows high-privileged authenticated users to inject malicious scripts via the fromdate parameter in /admin/bwdates-reports-details.php, potentially compromising admin sessions or stealing sensitive data. Public exploit code exists, but exploitation requires admin-level privileges and user interaction (likely clicking a malicious link), limiting real-world attack surface despite CVSS 1.9 indicating minimal risk.
Technical ContextAI
The vulnerability is a classic improper input validation flaw in a PHP-based web application (CWE-79: Improper Neutralization of Input During Web Page Generation). The /admin/bwdates-reports-details.php file fails to sanitize or escape the fromdate parameter before outputting it to the HTML response, allowing attackers to inject arbitrary JavaScript code. This affects a beauty salon management system-a small, niche application likely deployed in local/regional business contexts rather than enterprise infrastructure. The attack vector is network-based, but the CVSS vector PR:H (Privilege: High) and UI:P (User Interaction: Present) indicate this is NOT a remote unauthenticated vulnerability; it requires an admin account holder to be tricked into visiting a malicious link.
RemediationAI
No vendor-released patch identified at time of analysis. Contact Campcodes directly via www.campcodes.com to request a patched version or upgrade to a newer release if available. As a compensating control, implement input validation and output encoding on the fromdate parameter-specifically, use HTML entity encoding (e.g., htmlspecialchars() in PHP) before rendering any user-supplied date values in HTML context. Additionally, enforce a strict Content Security Policy (CSP) header to block inline script execution, reducing the impact of any injected XSS. Restrict admin panel access (/admin/) to specific IP addresses or a VPN to reduce the attack surface for social engineering. Apply the principle of least privilege-ensure admin accounts are only assigned to users who require admin access, and educate staff on phishing risks.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today