PHPGurukul Taxi Stand Management System CVE-2025-8115
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in PHPGurukul Taxi Stand Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/new-autoortaxi-entry-form.php. The manipulation of the argument registrationnumber/licensenumber leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting in PHPGurukul Taxi Stand Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the registrationnumber or licensenumber parameters in /admin/new-autoortaxi-entry-form.php, requiring user interaction to trigger. The vulnerability carries a low CVSS score of 2.0 due to authentication and user-interaction requirements, though publicly available exploit code exists and EPSS scoring (0.07%) indicates minimal real-world exploitation probability.
Technical ContextAI
The vulnerability is a reflected cross-site scripting (XSS) flaw classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The affected application is a PHP-based taxi stand management system that fails to properly sanitize user-supplied input in the registrationnumber and licensenumber parameters before echoing them in the admin form at /admin/new-autoortaxi-entry-form.php. An attacker authenticated to the admin panel can craft a malicious URL containing JavaScript payloads in these parameters, which are reflected in the HTTP response without encoding, allowing arbitrary script execution in the context of an authenticated user's session when they visit the crafted link.
RemediationAI
No vendor-released patch has been identified at time of analysis. Immediate mitigation requires implementing input validation and output encoding on the registrationnumber and licensenumber parameters in /admin/new-autoortaxi-entry-form.php using PHP's htmlspecialchars() or equivalent HTML entity encoding function before displaying values in HTML context. Apply Content Security Policy (CSP) headers with script-src 'self' to limit inline script execution as a defense-in-depth measure. For organizations unable to patch the source code immediately, restrict admin panel access to trusted IP ranges via firewall rules and implement session timeout policies (e.g., 15-minute idle timeout) to reduce the window for social engineering attacks. Monitor admin panel access logs for suspicious referrers containing encoded payloads. If the application is no longer maintained, consider migrating to an actively supported taxi management solution.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today