Public Chat Room
CVE-2025-7951
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic has been found in code-projects Public Chat Room 1.0. This affects an unknown part of the file /send_message.php. The manipulation of the argument chat_msg/your_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting in Public Chat Room 1.0 allows authenticated remote attackers to inject malicious scripts via the chat_msg or your_name parameters in /send_message.php, requiring user interaction to trigger payload execution. The vulnerability has a low CVSS score (2.0) and EPSS exploitation probability (0.05th percentile), but publicly available exploit code exists, limiting attack complexity for threat actors with valid credentials.
Technical ContextAI
Public Chat Room is a PHP-based web application for real-time messaging. The vulnerability stems from inadequate input sanitization in the /send_message.php endpoint, which handles user-supplied chat messages and usernames. The application fails to properly encode or filter the chat_msg and your_name parameters before reflecting them in HTTP responses, violating CWE-79 (Improper Neutralization of Input During Web Page Generation). This class of flaw allows attackers to inject arbitrary HTML and JavaScript that executes in victims' browsers when they view the poisoned message.
RemediationAI
Vendor-released patch information is not identified at time of analysis. Immediate remediation should include implementing output encoding (HTML entity encoding) for all user-supplied input reflected in responses, specifically the chat_msg and your_name parameters. Apply a Web Application Firewall (WAF) rule set to block requests containing script tags, event handlers (onclick, onerror, etc.), and encoded XSS payloads in the /send_message.php endpoint as a temporary compensating control. Restrict access to the chat application to trusted internal networks only if business requirements permit, reducing the attack surface while patches are developed. Conduct a code review of all input handling in the application and implement input validation using a whitelist approach (allowing only alphanumeric characters and basic punctuation for usernames; sanitizing message content server-side). If the vendor does not release a patch, upgrade to a newer version of Public Chat Room once available, or migrate to an alternative chat solution with security hardening.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today