CVE-2025-60318 identifies a Cross Site Scripting (XSS) vulnerability in SourceCodester Pet Grooming Management Software version 1.0. The vulnerability exists in the /admin/profile.php endpoint, specifically in the handling of the fname (First Name) and lname (Last Name) input fields. These fields do not properly sanitize or encode user-supplied input, allowing an attacker to inject malicious JavaScript code. When an authenticated administrator accesses the affected page, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized actions within the admin panel. The vulnerability requires the attacker to have access to the admin interface or to trick an administrator into visiting a crafted URL or page containing the malicious payload. No patch or fix has been published yet, and no known exploits have been reported in the wild. The lack of a CVSS score means severity must be assessed based on the nature of the vulnerability, its impact on confidentiality, integrity, and availability, and the exploitation complexity. Since this is an XSS vulnerability affecting administrative functions, it can lead to significant compromise of the management software's security posture if exploited.

For European organizations using SourceCodester Pet Grooming Management Software, this vulnerability could lead to unauthorized administrative access or actions if exploited. Attackers could steal session cookies or credentials from administrators, leading to full control over the management system. This could result in data manipulation, unauthorized disclosure of customer or business data, and disruption of business operations. Given the software's niche use in pet grooming management, the impact is likely limited to small and medium enterprises in this sector. However, compromised administrative control could also facilitate further attacks on connected systems or networks. The absence of known exploits reduces immediate risk, but the vulnerability remains a significant threat if weaponized. Organizations in Europe with regulatory requirements around data protection (e.g., GDPR) could face compliance risks if customer data is exposed due to exploitation.

Organizations should immediately implement strict input validation and output encoding on the fname and lname fields within the /admin/profile.php page to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin interface. Limit access to the admin panel through network segmentation, VPNs, or IP whitelisting to reduce exposure. Monitor administrative accounts for unusual activity and enforce strong authentication mechanisms, such as multi-factor authentication (MFA). Regularly audit and update the software, and engage with the vendor or community for patches or updates addressing this vulnerability. Additionally, educate administrators about phishing and social engineering risks that could be used to exploit this XSS vulnerability.