CVE-2025-40693 is a stored Cross-Site Scripting (XSS) vulnerability identified in version 1.2 of the PHPGurukul Online Fire Reporting System (OFRS). This vulnerability arises due to improper neutralization of user input during web page generation, classified under CWE-79. Specifically, the vulnerability exists in the '/ofrs/admin/edit-team.php' endpoint, where several parameters ('tname' via GET and 'teamleadname', 'teammember', and 'teamname' via POST) are not properly validated or sanitized before being stored and subsequently rendered in the web interface. An authenticated attacker can inject malicious JavaScript payloads into these parameters, which are then stored on the server and executed in the browsers of other authenticated users who view the affected pages. This stored XSS can be exploited remotely without requiring elevated privileges beyond authentication and does not require user interaction beyond visiting the maliciously crafted page. The impact includes theft of session cookies, potentially leading to session hijacking, unauthorized actions on behalf of the victim user, and further compromise of the application or user accounts. The CVSS 4.0 score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and no user interaction needed beyond page visit. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in April 2025 and published in September 2025 by INCIBE.

For European organizations using the PHPGurukul Online Fire Reporting System, this vulnerability poses a significant risk to the confidentiality and integrity of user sessions and data. Since the system is likely used by fire departments or emergency response teams, exploitation could disrupt critical incident reporting workflows, potentially delaying emergency responses. The theft of session cookies could allow attackers to impersonate legitimate users, escalate privileges, or manipulate sensitive incident data. This could lead to misinformation, loss of trust, and operational disruptions. Additionally, given the administrative nature of the affected endpoint, attackers might gain access to sensitive team management functions, further exacerbating the impact. The medium CVSS score indicates a moderate risk, but the critical nature of emergency response systems elevates the potential operational impact. European organizations must consider the risk of lateral movement and data leakage within their networks if attackers leverage this vulnerability.

To mitigate this vulnerability, organizations should immediately implement strict input validation and output encoding on all user-supplied data, especially the 'tname', 'teamleadname', 'teammember', and 'teamname' parameters. Employ context-aware output encoding (e.g., HTML entity encoding) before rendering user input in web pages to prevent script execution. Use security libraries or frameworks that automatically handle XSS protections. Restrict access to the '/ofrs/admin/edit-team.php' endpoint to only trusted administrative users and monitor logs for suspicious activity. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script sources. Regularly update and patch the OFRS software once the vendor releases a fix. Additionally, conduct security awareness training for users to recognize phishing or suspicious links that could trigger XSS payloads. Network segmentation and multi-factor authentication can further reduce the risk of session hijacking. Finally, consider deploying Web Application Firewalls (WAFs) with rules to detect and block malicious input patterns targeting this vulnerability.