PHPGurukul Apartment Visitors Management System CVE-2025-7857
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file bwdates-passreports-details.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in PHPGurukul Apartment Visitors Management System 1.0 allows authenticated remote attackers to inject malicious JavaScript via the visname parameter in bwdates-passreports-details.php, with user interaction required. Publicly available exploit code exists, though EPSS exploitation probability remains low at 0.05%, indicating limited real-world weaponization despite disclosure.
Technical ContextAI
The vulnerability exists in the HTTP POST request handler for bwdates-passreports-details.php, a PHP file component of the Apartment Visitors Management System. The root cause is improper input validation and output encoding of the visname parameter (CWE-79: Improper Neutralization of Input During Web Page Generation). User-supplied input is reflected in the HTTP response without sanitization or context-aware encoding, allowing attackers to inject arbitrary JavaScript code that executes in the victim's browser.
RemediationAI
The primary remediation is to upgrade to a patched version if available from the vendor at phpgurukul.com; however, no vendor-released patch version is identified in available data. As an immediate compensating control, implement input validation on the visname parameter by whitelisting allowed characters and rejecting any input containing HTML metacharacters or JavaScript event handlers. Additionally, apply context-aware output encoding (HTML entity encoding) when reflecting the visname parameter in the HTTP response, ensuring special characters like < > " ' are converted to their HTML entity equivalents (< > " '). If feasible, migrate to a Content Security Policy (CSP) header that prohibits inline script execution, though this requires broader application review. Contact PHPGurukul for security patch availability and consider migrating to actively maintained visitor management software if patches are unavailable.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today