Intern Membership Management System
CVE-2025-8340
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Intern Membership Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file fill_details.php of the component Error Message Handler. The manipulation of the argument email leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in Intern Membership Management System 1.0 allows remote attackers to inject malicious scripts via the email parameter in fill_details.php, executable only with user interaction. The vulnerability has a publicly available exploit and affects the error message handler, resulting in integrity impact (CVSS 2.1, EPSS 0.07%). While the attack vector is network-accessible and requires minimal complexity, the low CVSS and EPSS scores reflect the necessity for user interaction and limited technical impact.
Technical ContextAI
The vulnerability exists in fill_details.php, a PHP script component responsible for error message handling in an intern membership management application. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation, or Reflected XSS), where user-supplied input from the email parameter is not properly sanitized or encoded before being output in HTML error messages. The application fails to apply contextual output encoding or input validation, allowing an attacker to craft a malicious URL containing JavaScript payloads in the email parameter. When a victim visits the crafted URL, the unvalidated input is rendered in their browser within the error message handler, causing the injected script to execute in their session context.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation: update or remove the application if possible. If retention is required, apply input validation and output encoding to the email parameter in fill_details.php-validate email format server-side using a strict whitelist regex, and encode all user-supplied input before rendering in HTML error messages using htmlspecialchars(input, ENT_QUOTES, 'UTF-8') in PHP. Implement a Content Security Policy (CSP) header (e.g., script-src 'self') to limit inline script execution. Disable script execution in error pages by setting X-Content-Type-Options: nosniff and X-XSS-Protection: 1; mode=block headers. Apply web application firewall (WAF) rules to detect and block payloads matching XSS patterns in the email parameter. Trade-off: strict input validation may reject legitimate email edge cases; test with international domain names and special characters. Contact code-projects.org or check their repository at https://code-projects.org/ for security updates.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today