Skip to main content

Client Details System CVE-2025-60302

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-10-09 cve@mitre.org
6.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Adding customer records in a client management system most plausibly requires low-privilege authentication, warranting PR:L over the NVD-assigned PR:N; all other metrics follow from the stored XSS pattern.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 04:07 vuln.today

DescriptionCVE.org

code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting (XSS). When adding customer information, the client details system fills in malicious JavaScript code in the username field.

AnalysisAI

Stored cross-site scripting in code-projects Client Details System 1.0 allows an attacker who can submit customer records to persist malicious JavaScript in the username field, which then executes in the browser of any user who subsequently views that record. The CVSS scope change (S:C) indicates the payload crosses from the application's trust boundary into a victim's browser session, enabling session hijacking or credential theft against administrative users. A publicly available proof-of-concept exists, though no CISA KEV listing has been issued and the EPSS score of 0.22% (12th percentile) reflects low observed exploitation activity.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied input in the username field is neither sanitized on ingestion nor properly HTML-encoded on output, allowing raw script tags or JavaScript event handlers to be stored and later rendered as executable code in victims' browsers. The affected product, identified by CPE cpe:2.3:a:fabian:client_details_system:1.0:*:*:*:*:*:*:*, is a PHP-based web application from 'code-projects' (vendor slug: fabian), a platform known for distributing student and demo-grade PHP projects. The attack is persistent (stored) XSS rather than reflected: the payload survives across user sessions and does not require repeated delivery to each victim.

RemediationAI

No vendor-released patch has been identified at time of analysis for Client Details System 1.0. The only public reference is the researcher's PoC writeup, with no corresponding upstream fix or tagged release confirmed. As a specific compensating control, administrators should disable or restrict access to the customer-addition form until the input handling is corrected - particularly blocking unauthenticated access if the form is externally reachable. Developers should apply HTML entity encoding (e.g., htmlspecialchars() in PHP with ENT_QUOTES) to all user-supplied fields, including the username field, before storing or rendering them. A Content Security Policy (CSP) header restricting inline script execution would reduce the exploitability of any residual XSS vectors, though it does not eliminate the underlying flaw. Given this is a demo-grade application, replacing it with a maintained alternative may be more practical than patching. Advisory reference: https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60302.md.

CVE-2023-7142 CRITICAL POC
9.8 Dec 29

A vulnerability was found in code-projects Client Details System 1.0. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-7141 CRITICAL POC
9.8 Dec 29

A vulnerability was found in code-projects Client Details System 1.0. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-7140 CRITICAL POC
9.8 Dec 28

A vulnerability was found in code-projects Client Details System 1.0 and classified as problematic.php. Rated critical s

CVE-2023-7139 CRITICAL POC
9.8 Dec 28

A vulnerability has been found in code-projects Client Details System 1.0 and classified as problematic. Rated critical

CVE-2023-7138 HIGH POC
8.8 Dec 28

A vulnerability, which was classified as critical, was found in code-projects Client Details System 1.0. Rated high seve

CVE-2023-7137 HIGH POC
8.8 Dec 28

A vulnerability, which was classified as critical, has been found in code-projects Client Details System 1.0. Rated high

CVE-2023-7143 MEDIUM POC
4.8 Dec 29

A vulnerability was found in code-projects Client Details System 1.0. Rated medium severity (CVSS 4.8), this vulnerabili

CVE-2025-11605 LOW POC
2.1 Oct 11

SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the uid par

CVE-2025-12243 LOW POC
2.1 Oct 27

SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the ID para

CVE-2025-12283 LOW POC
2.1 Oct 27

Authentication bypass in code-projects Client Details System 1.0 allows authenticated remote attackers to gain unauthori

CVE-2025-12282 LOW POC
1.9 Oct 27

Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated users with high privil

CVE-2025-12279 LOW POC
1.9 Oct 27

Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows remote attackers with high privileges and u

Share

CVE-2025-60302 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy