Simple Scheduling System
CVE-2025-60304
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
PR:L assigned because schedule creation in a scheduling system typically requires a user account; all other metrics align with a standard stored XSS with scope change.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
code-projects Simple Scheduling System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Subject Description field.
AnalysisAI
Stored Cross-Site Scripting in code-projects Simple Scheduling System 1.0 allows an attacker to inject arbitrary JavaScript via the Subject Description field, which executes in victims' browsers when they view the affected page. The scope change in the CVSS vector (S:C) confirms the script runs in a different security context than where the payload is injected, enabling session hijacking, credential theft, or malicious redirects against users of the application. A publicly available proof-of-concept exploit exists, though exploitation probability remains low (EPSS 0.22%) and no confirmed active exploitation is recorded.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to encode or sanitize user-controlled input before it is reflected or stored and subsequently rendered in an HTML context. In this case, the Subject Description field in Simple Scheduling System 1.0 - identified by CPE cpe:2.3:a:fabian:simple_scheduling_system:1.0:*:*:*:*:*:*:* - accepts arbitrary HTML/JavaScript without sanitization. The CVSS scope change metric (S:C) indicates the injected script executes in the victim browser's origin, distinct from the server-side component where the injection occurs, consistent with a stored or reflected XSS pattern that crosses a trust boundary. The affected product is a PHP-based open-source scheduling application from code-projects authored by 'fabian'.
RemediationAI
No vendor-released patch has been identified at time of analysis for Simple Scheduling System 1.0. Organizations running this application should immediately apply output encoding to all user-supplied fields - particularly Subject Description - using context-appropriate escaping (e.g., htmlspecialchars() in PHP with ENT_QUOTES). As a compensating control, a Content Security Policy (CSP) header restricting inline script execution can substantially reduce XSS impact, though it does not fix the underlying injection flaw. Input validation should reject or strip HTML tags from scheduling fields that do not require rich text. If the application cannot be patched, consider restricting access to trusted internal users only via network-layer controls such as firewall rules or VPN requirements, reducing exposure to untrusted parties who could inject payloads. Technical details and reproduction steps are available at https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60304.md.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today