CVE-2025-45751 is a medium-severity Cross Site Scripting (XSS) vulnerability identified in the SourceCodester Web Based Pharmacy Product Management System version 1.0. The vulnerability exists specifically in the add-admin.php script, where the Fullname text field does not properly sanitize user input. This lack of input validation allows an attacker to inject malicious scripts that execute in the context of the victim's browser when the vulnerable page is viewed. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation, leading to XSS. According to the CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), the attack requires network access with low attack complexity, no privileges, and no user interaction, but it is limited to adjacent network access (AV:A), such as within the same local network or VPN. The impact affects confidentiality and integrity but not availability. No patches or known exploits in the wild have been reported yet. The vulnerability was published on May 5, 2025, and has a CVSS score of 5.4, indicating a medium risk level.

For European organizations, especially those in the healthcare and pharmaceutical sectors using the SourceCodester Web Based Pharmacy Product Management System, this vulnerability poses a risk of unauthorized script execution within administrative interfaces. Exploitation could lead to theft of sensitive administrative credentials or session hijacking, enabling attackers to manipulate administrative functions or access confidential patient and product data. Given the sensitive nature of healthcare data protected under GDPR, any compromise could result in significant regulatory penalties and reputational damage. The requirement for adjacent network access somewhat limits remote exploitation, but insider threats or compromised internal networks could facilitate attacks. The integrity of administrative data could be undermined, potentially affecting inventory management and patient safety indirectly. Although availability is not impacted, the breach of confidentiality and integrity in a healthcare context is critical.

To mitigate this vulnerability, European organizations should implement strict input validation and output encoding on the Fullname field within add-admin.php to neutralize malicious scripts. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts. Network segmentation should be enforced to limit access to the administrative interface to trusted hosts only, reducing the risk from adjacent network attackers. Regular security audits and code reviews of web applications should be conducted to identify and remediate similar vulnerabilities. Since no official patch is available, organizations should consider applying custom fixes or using web application firewalls (WAFs) with rules to detect and block XSS payloads targeting this specific endpoint. Additionally, monitoring administrative access logs for unusual activity can help detect exploitation attempts early.