CVE-2025-12303 identifies a cross-site scripting vulnerability in PHPGurukul Curfew e-Pass Management System version 1.0, specifically in the admin-profile.php file. The vulnerability arises due to improper sanitization or encoding of user-supplied input in the adminname and email parameters, which can be manipulated to inject malicious JavaScript code. When an attacker crafts a specially formed request and convinces an administrator to interact with it, the malicious script executes in the administrator's browser context. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability is remotely exploitable without authentication but requires user interaction, such as clicking a crafted link or visiting a malicious page. The CVSS 4.0 base score is 4.8 (medium), reflecting the limited impact on confidentiality but potential integrity and availability concerns. No patches or fixes have been published yet, and no known exploits are reported in the wild. The vulnerability affects only version 1.0 of the product, which is used primarily for managing curfew e-passes, a critical function in certain jurisdictions. The lack of input validation and output encoding in the affected parameters is the root cause.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript code in the context of an administrator's browser session. This can lead to session hijacking, allowing attackers to impersonate administrators and gain unauthorized access to sensitive management functions. Additionally, attackers could deface the administrative interface or redirect administrators to malicious websites, potentially leading to further compromise. While confidentiality impact is limited, integrity and availability of the e-pass management system could be compromised. Given the system's role in controlling movement during curfews, disruption or manipulation could have significant operational consequences, including denial of service or unauthorized issuance of e-passes. Organizations relying on this system may face operational disruptions, reputational damage, and potential regulatory scrutiny if exploited.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data, especially the adminname and email parameters in admin-profile.php. Employing a web application firewall (WAF) with rules to detect and block XSS payloads can provide an additional layer of defense. Administrators should be trained to recognize suspicious links or inputs and avoid interacting with untrusted sources. Since no official patch is available, consider isolating the management interface behind VPNs or IP whitelisting to reduce exposure. Regularly monitor logs for unusual activity indicative of exploitation attempts. If feasible, conduct a code review of the application to identify and remediate other potential injection points. Finally, plan for an update or patch deployment once the vendor releases a fix.