CVE-2025-6345 is a cross-site scripting (XSS) vulnerability identified in SourceCodester My Food Recipe version 1.0, specifically within the addRecipeModal function of the /endpoint/add-recipe.php file. This vulnerability arises due to improper sanitization or validation of the 'Name' parameter submitted to the Add Recipe Page component. An attacker can remotely craft malicious input for the 'Name' argument, which is then reflected in the web application without adequate encoding or filtering, enabling the execution of arbitrary JavaScript code in the context of the victim's browser. The vulnerability is classified as problematic and has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based (AV:N), requiring low attack complexity (AC:L), no privileges (PR:L) but some user interaction (UI:P). The vulnerability does not compromise confidentiality or availability directly but impacts integrity and partially impacts victim interaction (VI:L). No authentication is required to exploit this vulnerability, and the exploit has been publicly disclosed, although no known exploits are currently observed in the wild. This XSS flaw could be leveraged for session hijacking, phishing, or delivering malicious payloads to users interacting with the affected web application. Since the product is a web-based recipe management system, the attack surface includes any users submitting or viewing recipes, potentially including administrators or registered users. The vulnerability's scope is limited to the affected version 1.0 of the My Food Recipe application from SourceCodester, which is typically deployed by small to medium-sized organizations or individual users managing culinary content online.

For European organizations using SourceCodester My Food Recipe 1.0, this vulnerability poses a moderate risk primarily to web application integrity and user trust. Successful exploitation could allow attackers to execute arbitrary scripts in users' browsers, leading to session hijacking, credential theft, or distribution of malware. This could result in reputational damage, especially for businesses relying on customer engagement through their recipe platforms. While the direct impact on confidentiality and availability is limited, the indirect consequences such as phishing campaigns or unauthorized actions performed on behalf of users could disrupt business operations. Organizations in the hospitality, food service, or culinary content sectors in Europe that utilize this software may face increased risk. Additionally, compliance with data protection regulations like GDPR could be jeopardized if user data is compromised through such attacks. The medium severity rating suggests that while the threat is not critical, it should not be ignored, especially in environments where user interaction with the application is frequent and sensitive data is processed or stored.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately apply any available patches or updates from SourceCodester; if none are available, implement manual input validation and output encoding on the 'Name' parameter within the addRecipeModal function to neutralize malicious scripts. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 3) Conduct a thorough code review of all user input handling in the application to identify and remediate similar XSS weaknesses. 4) Implement web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the affected endpoints. 5) Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with recipe submissions or links. 6) Monitor web server logs and user activity for signs of exploitation attempts or unusual behavior. 7) Consider migrating to more secure or actively maintained recipe management platforms if long-term support for this product is uncertain. These steps go beyond generic advice by focusing on specific code-level fixes, security headers, and operational monitoring tailored to the nature of this vulnerability and the affected component.