Simple Car Rental System
CVE-2025-8337
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, has been found in code-projects Simple Car Rental System 1.0. This issue affects some unknown processing of the file /admin/add_vehicles.php. The manipulation of the argument car_name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in Simple Car Rental System 1.0 allows authenticated administrators to inject malicious scripts via the car_name parameter in /admin/add_vehicles.php, which are then executed in the browsers of other users viewing vehicle listings. The vulnerability requires high-privilege admin access and user interaction (UI:P), limiting real-world impact despite network-accessible delivery. Publicly available exploit code exists but EPSS exploitation probability is extremely low at 0.05%, suggesting the attack scenario (admin-initiated XSS against themselves or other admins) has minimal practical risk.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting flaw (CWE-79) in a PHP-based vehicle management application. The /admin/add_vehicles.php endpoint accepts user input via the car_name parameter without proper output encoding or input sanitization. In PHP web applications, unencoded user input rendered directly in HTML contexts enables attackers to inject arbitrary JavaScript that executes in client browsers. The attack vector is network-accessible (AV:N) but requires prior authentication as a high-privilege administrator (PR:H), and user interaction is required (UI:P), meaning a victim must visit a page where the injected payload is reflected or stored.
RemediationAI
Upgrade to a patched version if available from code-projects; however, no patched version is currently identified in available advisory data. As an immediate workaround, implement server-side output encoding of all user-supplied input in /admin/add_vehicles.php, specifically HTML-encoding the car_name parameter before rendering it in HTTP responses using PHP's htmlspecialchars() function with ENT_QUOTES flag. Additionally, implement Content Security Policy (CSP) headers with script-src restrictions to prevent injected scripts from executing even if encoding is bypassed. Restrict administrative access to trusted users only, disable unnecessary admin features, and implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in POST parameters. Monitor admin user activity logs for suspicious input patterns. Contact code-projects directly at https://code-projects.org/ to request security patches or an updated version.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today