Skip to main content

Simple Scheduling System CVE-2025-60304

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-10-09 cve@mitre.org
6.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L assigned because schedule creation in a scheduling system typically requires a user account; all other metrics align with a standard stored XSS with scope change.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 04:08 vuln.today

DescriptionCVE.org

code-projects Simple Scheduling System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Subject Description field.

AnalysisAI

Stored Cross-Site Scripting in code-projects Simple Scheduling System 1.0 allows an attacker to inject arbitrary JavaScript via the Subject Description field, which executes in victims' browsers when they view the affected page. The scope change in the CVSS vector (S:C) confirms the script runs in a different security context than where the payload is injected, enabling session hijacking, credential theft, or malicious redirects against users of the application. A publicly available proof-of-concept exploit exists, though exploitation probability remains low (EPSS 0.22%) and no confirmed active exploitation is recorded.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to encode or sanitize user-controlled input before it is reflected or stored and subsequently rendered in an HTML context. In this case, the Subject Description field in Simple Scheduling System 1.0 - identified by CPE cpe:2.3:a:fabian:simple_scheduling_system:1.0:*:*:*:*:*:*:* - accepts arbitrary HTML/JavaScript without sanitization. The CVSS scope change metric (S:C) indicates the injected script executes in the victim browser's origin, distinct from the server-side component where the injection occurs, consistent with a stored or reflected XSS pattern that crosses a trust boundary. The affected product is a PHP-based open-source scheduling application from code-projects authored by 'fabian'.

RemediationAI

No vendor-released patch has been identified at time of analysis for Simple Scheduling System 1.0. Organizations running this application should immediately apply output encoding to all user-supplied fields - particularly Subject Description - using context-appropriate escaping (e.g., htmlspecialchars() in PHP with ENT_QUOTES). As a compensating control, a Content Security Policy (CSP) header restricting inline script execution can substantially reduce XSS impact, though it does not fix the underlying injection flaw. Input validation should reject or strip HTML tags from scheduling fields that do not require rich text. If the application cannot be patched, consider restricting access to trusted internal users only via network-layer controls such as firewall rules or VPN requirements, reducing exposure to untrusted parties who could inject payloads. Technical details and reproduction steps are available at https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60304.md.

Share

CVE-2025-60304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy