CVE-2025-25776: n/a in n/a
Cross-Site Scripting (XSS) vulnerability exists in the User Registration and User Profile features of Codeastro Bus Ticket Booking System v1.0 allows an attacker to execute arbitrary code into the Full Name and Address fields during user registration or profile editing.
AI Analysis
Technical Summary
CVE-2025-25776 is a Cross-Site Scripting (XSS) vulnerability identified in the Codeastro Bus Ticket Booking System version 1.0. This vulnerability specifically affects the User Registration and User Profile features, where user-supplied input fields such as 'Full Name' and 'Address' do not properly sanitize or encode input data. As a result, an attacker can inject arbitrary malicious scripts into these fields. When other users or administrators view the affected profiles or registration data, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS 3.1 base score is 5.0 (medium severity), with vector AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but user interaction is necessary (UI:R). The scope is changed (S:C), meaning the vulnerability can affect components beyond the initially vulnerable component. The impact on confidentiality and integrity is low, while availability is not impacted. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in early February 2025 and published in late April 2025. The Codeastro Bus Ticket Booking System is a niche application used for managing bus ticket sales and user registrations, likely deployed in regional transportation services or small to medium enterprises in the travel sector.
Potential Impact
For European organizations, especially those in the transportation and travel sectors using the Codeastro Bus Ticket Booking System, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform phishing attacks, or manipulate user data. This could compromise user privacy and trust, potentially leading to reputational damage and regulatory scrutiny under GDPR due to exposure of personal data. While the vulnerability requires local access and user interaction, the changed scope means that exploitation could affect other components or users beyond the initially targeted profile. Organizations operating in public transport or ticketing services may face service disruptions or fraud attempts if attackers leverage this vulnerability. Given the medium CVSS score and the lack of known exploits, the immediate risk is moderate but could escalate if exploit code becomes publicly available.
Mitigation Recommendations
Implement strict input validation and output encoding on all user-supplied data fields, especially 'Full Name' and 'Address', to neutralize any embedded scripts before rendering. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the web application context. Conduct a thorough code review and penetration testing focused on XSS vulnerabilities in all user input forms within the application. Restrict access to the user registration and profile editing interfaces to authenticated and authorized users only, reducing the attack surface. Monitor web application logs for unusual input patterns or script injection attempts targeting the vulnerable fields. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted user-generated content within the system. Engage with the vendor or development team to obtain or develop patches addressing the input sanitization flaws as soon as possible. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block typical XSS payloads targeting the affected fields.
Affected Countries
Germany, France, Italy, Spain, Poland, Netherlands, Belgium
CVE-2025-25776: n/a in n/a
Description
Cross-Site Scripting (XSS) vulnerability exists in the User Registration and User Profile features of Codeastro Bus Ticket Booking System v1.0 allows an attacker to execute arbitrary code into the Full Name and Address fields during user registration or profile editing.
AI-Powered Analysis
Technical Analysis
CVE-2025-25776 is a Cross-Site Scripting (XSS) vulnerability identified in the Codeastro Bus Ticket Booking System version 1.0. This vulnerability specifically affects the User Registration and User Profile features, where user-supplied input fields such as 'Full Name' and 'Address' do not properly sanitize or encode input data. As a result, an attacker can inject arbitrary malicious scripts into these fields. When other users or administrators view the affected profiles or registration data, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS 3.1 base score is 5.0 (medium severity), with vector AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but user interaction is necessary (UI:R). The scope is changed (S:C), meaning the vulnerability can affect components beyond the initially vulnerable component. The impact on confidentiality and integrity is low, while availability is not impacted. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in early February 2025 and published in late April 2025. The Codeastro Bus Ticket Booking System is a niche application used for managing bus ticket sales and user registrations, likely deployed in regional transportation services or small to medium enterprises in the travel sector.
Potential Impact
For European organizations, especially those in the transportation and travel sectors using the Codeastro Bus Ticket Booking System, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform phishing attacks, or manipulate user data. This could compromise user privacy and trust, potentially leading to reputational damage and regulatory scrutiny under GDPR due to exposure of personal data. While the vulnerability requires local access and user interaction, the changed scope means that exploitation could affect other components or users beyond the initially targeted profile. Organizations operating in public transport or ticketing services may face service disruptions or fraud attempts if attackers leverage this vulnerability. Given the medium CVSS score and the lack of known exploits, the immediate risk is moderate but could escalate if exploit code becomes publicly available.
Mitigation Recommendations
Implement strict input validation and output encoding on all user-supplied data fields, especially 'Full Name' and 'Address', to neutralize any embedded scripts before rendering. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the web application context. Conduct a thorough code review and penetration testing focused on XSS vulnerabilities in all user input forms within the application. Restrict access to the user registration and profile editing interfaces to authenticated and authorized users only, reducing the attack surface. Monitor web application logs for unusual input patterns or script injection attempts targeting the vulnerable fields. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted user-generated content within the system. Engage with the vendor or development team to obtain or develop patches addressing the input sanitization flaws as soon as possible. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block typical XSS payloads targeting the affected fields.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-02-07T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983dc4522896dcbef601
Added to database: 5/21/2025, 9:09:17 AM
Last enriched: 6/24/2025, 8:37:01 PM
Last updated: 7/30/2025, 2:22:52 AM
Views: 14
Related Threats
CVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalCVE-2025-8675: CWE-918 Server-Side Request Forgery (SSRF) in Drupal AI SEO Link Advisor
MediumCVE-2025-8362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal GoogleTag Manager
MediumCVE-2025-8361: CWE-962 Missing Authorization in Drupal Config Pages
HighCVE-2025-8092: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal COOKiES Consent Management
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.