Client Details System
CVE-2025-60302
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Adding customer records in a client management system most plausibly requires low-privilege authentication, warranting PR:L over the NVD-assigned PR:N; all other metrics follow from the stored XSS pattern.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting (XSS). When adding customer information, the client details system fills in malicious JavaScript code in the username field.
AnalysisAI
Stored cross-site scripting in code-projects Client Details System 1.0 allows an attacker who can submit customer records to persist malicious JavaScript in the username field, which then executes in the browser of any user who subsequently views that record. The CVSS scope change (S:C) indicates the payload crosses from the application's trust boundary into a victim's browser session, enabling session hijacking or credential theft against administrative users. A publicly available proof-of-concept exists, though no CISA KEV listing has been issued and the EPSS score of 0.22% (12th percentile) reflects low observed exploitation activity.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied input in the username field is neither sanitized on ingestion nor properly HTML-encoded on output, allowing raw script tags or JavaScript event handlers to be stored and later rendered as executable code in victims' browsers. The affected product, identified by CPE cpe:2.3:a:fabian:client_details_system:1.0:*:*:*:*:*:*:*, is a PHP-based web application from 'code-projects' (vendor slug: fabian), a platform known for distributing student and demo-grade PHP projects. The attack is persistent (stored) XSS rather than reflected: the payload survives across user sessions and does not require repeated delivery to each victim.
RemediationAI
No vendor-released patch has been identified at time of analysis for Client Details System 1.0. The only public reference is the researcher's PoC writeup, with no corresponding upstream fix or tagged release confirmed. As a specific compensating control, administrators should disable or restrict access to the customer-addition form until the input handling is corrected - particularly blocking unauthenticated access if the form is externally reachable. Developers should apply HTML entity encoding (e.g., htmlspecialchars() in PHP with ENT_QUOTES) to all user-supplied fields, including the username field, before storing or rendering them. A Content Security Policy (CSP) header restricting inline script execution would reduce the exploitability of any residual XSS vectors, though it does not eliminate the underlying flaw. Given this is a demo-grade application, replacing it with a maintained alternative may be more practical than patching. Advisory reference: https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60302.md.
More in Client Details System
View allA vulnerability was found in code-projects Client Details System 1.0. Rated critical severity (CVSS 9.8), this vulnerabi
A vulnerability was found in code-projects Client Details System 1.0. Rated critical severity (CVSS 9.8), this vulnerabi
A vulnerability was found in code-projects Client Details System 1.0 and classified as problematic.php. Rated critical s
A vulnerability has been found in code-projects Client Details System 1.0 and classified as problematic. Rated critical
A vulnerability, which was classified as critical, was found in code-projects Client Details System 1.0. Rated high seve
A vulnerability, which was classified as critical, has been found in code-projects Client Details System 1.0. Rated high
A vulnerability was found in code-projects Client Details System 1.0. Rated medium severity (CVSS 4.8), this vulnerabili
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the uid par
SQL injection in code-projects Client Details System 1.0 allows authenticated remote attackers to manipulate the ID para
Authentication bypass in code-projects Client Details System 1.0 allows authenticated remote attackers to gain unauthori
Stored cross-site scripting (XSS) in code-projects Client Details System 1.0 allows authenticated users with high privil
Cross-site scripting (XSS) in code-projects Client Details System 1.0 allows remote attackers with high privileges and u
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today