CVE-2025-4745 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the code-projects Employee Record System, specifically within the current_employees.php file. The vulnerability arises from improper sanitization or validation of user-supplied input parameters, namely employeed_id, first_name, middle_name, and last_name. An attacker can remotely manipulate these parameters to inject malicious scripts that execute in the context of the victim's browser. This type of vulnerability allows attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability is classified as 'problematic' with a CVSS 4.0 base score of 5.1, indicating a medium severity level. The CVSS vector indicates that the attack can be performed remotely (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but user interaction (UI:P), and results in limited integrity impact (VI:L) without affecting confidentiality or availability. The vulnerability does not require authentication but does require some user interaction, such as clicking a crafted link or visiting a malicious page. Although there are no known exploits in the wild currently, the exploit details have been publicly disclosed, increasing the risk of exploitation. No patches or fixes have been linked yet, which means organizations using this software version remain exposed. The vulnerability affects a specific module handling employee records, which is likely critical for HR and administrative functions within organizations using this system.

For European organizations utilizing the code-projects Employee Record System 1.0, this vulnerability poses a significant risk to the integrity of employee data and the trustworthiness of internal web applications. Successful exploitation could lead to unauthorized script execution in users' browsers, potentially resulting in session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. This could compromise sensitive employee information and disrupt HR operations. Additionally, the presence of XSS vulnerabilities can damage organizational reputation and lead to compliance issues under regulations such as GDPR, which mandates protection of personal data. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to trigger the exploit, increasing the risk of targeted attacks. The lack of available patches means organizations must rely on mitigation strategies to reduce exposure. The medium severity rating suggests a moderate but non-negligible impact, especially in environments where employee data confidentiality and integrity are critical.

1. Immediate mitigation should include implementing strict input validation and output encoding on all user-supplied data fields, especially employeed_id, first_name, middle_name, and last_name parameters in current_employees.php. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 3. Use web application firewalls (WAFs) to detect and block malicious payloads targeting these parameters. 4. Educate users about the risks of clicking unknown or suspicious links to reduce the likelihood of successful user interaction exploitation. 5. Monitor application logs for unusual or suspicious requests targeting the vulnerable parameters. 6. Engage with the vendor or development team to prioritize patch development and deployment. 7. If possible, isolate or restrict access to the Employee Record System to trusted networks or VPNs to reduce exposure. 8. Conduct regular security assessments and penetration tests focusing on XSS vulnerabilities to identify and remediate similar issues proactively.