CVE-2025-25776 is a Cross-Site Scripting (XSS) vulnerability identified in the Codeastro Bus Ticket Booking System version 1.0. This vulnerability specifically affects the User Registration and User Profile features, where user-supplied input fields such as 'Full Name' and 'Address' do not properly sanitize or encode input data. As a result, an attacker can inject arbitrary malicious scripts into these fields. When other users or administrators view the affected profiles or registration data, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS 3.1 base score is 5.0 (medium severity), with vector AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but user interaction is necessary (UI:R). The scope is changed (S:C), meaning the vulnerability can affect components beyond the initially vulnerable component. The impact on confidentiality and integrity is low, while availability is not impacted. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in early February 2025 and published in late April 2025. The Codeastro Bus Ticket Booking System is a niche application used for managing bus ticket sales and user registrations, likely deployed in regional transportation services or small to medium enterprises in the travel sector.

For European organizations, especially those in the transportation and travel sectors using the Codeastro Bus Ticket Booking System, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform phishing attacks, or manipulate user data. This could compromise user privacy and trust, potentially leading to reputational damage and regulatory scrutiny under GDPR due to exposure of personal data. While the vulnerability requires local access and user interaction, the changed scope means that exploitation could affect other components or users beyond the initially targeted profile. Organizations operating in public transport or ticketing services may face service disruptions or fraud attempts if attackers leverage this vulnerability. Given the medium CVSS score and the lack of known exploits, the immediate risk is moderate but could escalate if exploit code becomes publicly available.

Implement strict input validation and output encoding on all user-supplied data fields, especially 'Full Name' and 'Address', to neutralize any embedded scripts before rendering. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the web application context. Conduct a thorough code review and penetration testing focused on XSS vulnerabilities in all user input forms within the application. Restrict access to the user registration and profile editing interfaces to authenticated and authorized users only, reducing the attack surface. Monitor web application logs for unusual input patterns or script injection attempts targeting the vulnerable fields. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted user-generated content within the system. Engage with the vendor or development team to obtain or develop patches addressing the input sanitization flaws as soon as possible. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block typical XSS payloads targeting the affected fields.