CVE-2025-13484 is a cross-site scripting vulnerability identified in version 1.0 of the Campcodes Complete Online Beauty Parlor Management System. The vulnerability resides in the /admin/customer-list.php file, specifically in the handling of the 'Name' parameter. Improper input validation allows an attacker to inject malicious JavaScript code that executes in the context of an authenticated administrator's browser session. The attack vector is remote and does not require prior authentication, but successful exploitation depends on user interaction, such as an administrator clicking a crafted link or viewing a manipulated customer list entry. The vulnerability can lead to session hijacking, credential theft, or unauthorized actions performed with the administrator's privileges. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but the description suggests no authentication needed, so this may be a discrepancy), user interaction required (UI:P), and low impact on integrity (VI:L) with no impact on confidentiality or availability. No patches or vendor advisories are currently linked, and no active exploitation has been reported, though public exploit code exists. This vulnerability highlights the importance of proper input sanitization and output encoding in web applications, especially in administrative interfaces.

The primary impact of this XSS vulnerability is on the confidentiality and integrity of administrative sessions within the affected system. An attacker exploiting this flaw can execute arbitrary scripts in the context of an administrator’s browser, potentially stealing session cookies, performing unauthorized actions, or injecting malicious content. While the vulnerability does not directly affect system availability, the compromise of administrative credentials or sessions could lead to further system manipulation or data exposure. Organizations relying on this software for managing customer data and business operations risk unauthorized access to sensitive customer information and disruption of business processes. Given the niche application, the scope of impact is limited to businesses using this specific product, but within those environments, the risk to business continuity and data privacy is significant if exploited.

To mitigate CVE-2025-13484, organizations should immediately implement strict input validation and output encoding on the 'Name' parameter in the /admin/customer-list.php file to prevent script injection. If vendor patches become available, they should be applied promptly. In the absence of patches, web application firewalls (WAFs) can be configured to detect and block typical XSS payloads targeting this parameter. Administrators should be trained to recognize suspicious inputs and avoid clicking on untrusted links or inputs within the admin interface. Regular security audits and code reviews focusing on input handling in administrative modules are recommended. Additionally, implementing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution contexts. Monitoring logs for unusual activities related to the customer list page can help detect exploitation attempts early.