PHPGurukul Apartment Visitors Management System CVE-2025-7856
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file pass-details.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated users to inject malicious scripts via the visname parameter in pass-details.php, which are then executed in the context of other users' browsers. The vulnerability requires user interaction (UI:P) but can be exploited remotely by any authenticated user with access to the HTTP POST request handler. Publicly available exploit code exists, though the low EPSS score (0.05%) and requirement for user interaction and authentication suggest limited real-world exploitation risk.
Technical ContextAI
This is a reflected or stored cross-site scripting (CWE-79) vulnerability in a PHP-based visitor management application. The vulnerability exists in the pass-details.php file, which processes HTTP POST requests containing visitor information. The visname parameter fails to properly sanitize or encode user input before rendering it in responses or storing it in the system. PHP applications commonly suffer from XSS when using functions like echo() without htmlspecialchars() or other output encoding. The application appears to be a web-based system for managing apartment visitor passes and details, suggesting it processes and displays visitor-submitted or staff-entered data without adequate input validation or output encoding.
RemediationAI
No vendor-released patch identified at time of analysis. The primary mitigation is to upgrade to a patched version if available from PHPGurukul, or to immediately apply input validation and output encoding to the visname parameter and all user-controlled inputs processed by pass-details.php. Developers should implement htmlspecialchars() or similar encoding functions on all output rendered to users, and validate the visname parameter against an allowlist of permitted characters (alphanumeric and common name characters only). As a compensating control, restrict access to the pass-details.php endpoint and related visitor management features to trusted internal staff only, using network-level access controls or IP whitelisting. Additionally, implement a Content Security Policy (CSP) header with strict-dynamic and nonce attributes to prevent inline script execution, which will reduce the impact of any residual XSS issues. These controls have minimal performance impact but require code deployment and may restrict some functionality if the application intentionally renders user-provided HTML.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today