Skip to main content

CVE-2025-25776: n/a in n/a

Medium
VulnerabilityCVE-2025-25776cvecve-2025-25776
Published: Mon Apr 28 2025 (04/28/2025, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

Cross-Site Scripting (XSS) vulnerability exists in the User Registration and User Profile features of Codeastro Bus Ticket Booking System v1.0 allows an attacker to execute arbitrary code into the Full Name and Address fields during user registration or profile editing.

AI-Powered Analysis

AILast updated: 06/24/2025, 20:37:01 UTC

Technical Analysis

CVE-2025-25776 is a Cross-Site Scripting (XSS) vulnerability identified in the Codeastro Bus Ticket Booking System version 1.0. This vulnerability specifically affects the User Registration and User Profile features, where user-supplied input fields such as 'Full Name' and 'Address' do not properly sanitize or encode input data. As a result, an attacker can inject arbitrary malicious scripts into these fields. When other users or administrators view the affected profiles or registration data, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS 3.1 base score is 5.0 (medium severity), with vector AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but user interaction is necessary (UI:R). The scope is changed (S:C), meaning the vulnerability can affect components beyond the initially vulnerable component. The impact on confidentiality and integrity is low, while availability is not impacted. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in early February 2025 and published in late April 2025. The Codeastro Bus Ticket Booking System is a niche application used for managing bus ticket sales and user registrations, likely deployed in regional transportation services or small to medium enterprises in the travel sector.

Potential Impact

For European organizations, especially those in the transportation and travel sectors using the Codeastro Bus Ticket Booking System, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform phishing attacks, or manipulate user data. This could compromise user privacy and trust, potentially leading to reputational damage and regulatory scrutiny under GDPR due to exposure of personal data. While the vulnerability requires local access and user interaction, the changed scope means that exploitation could affect other components or users beyond the initially targeted profile. Organizations operating in public transport or ticketing services may face service disruptions or fraud attempts if attackers leverage this vulnerability. Given the medium CVSS score and the lack of known exploits, the immediate risk is moderate but could escalate if exploit code becomes publicly available.

Mitigation Recommendations

Implement strict input validation and output encoding on all user-supplied data fields, especially 'Full Name' and 'Address', to neutralize any embedded scripts before rendering. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the web application context. Conduct a thorough code review and penetration testing focused on XSS vulnerabilities in all user input forms within the application. Restrict access to the user registration and profile editing interfaces to authenticated and authorized users only, reducing the attack surface. Monitor web application logs for unusual input patterns or script injection attempts targeting the vulnerable fields. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted user-generated content within the system. Engage with the vendor or development team to obtain or develop patches addressing the input sanitization flaws as soon as possible. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block typical XSS payloads targeting the affected fields.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-02-07T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d983dc4522896dcbef601

Added to database: 5/21/2025, 9:09:17 AM

Last enriched: 6/24/2025, 8:37:01 PM

Last updated: 8/15/2025, 6:17:16 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats