CVE-2025-65215 identifies a Cross Site Scripting (XSS) vulnerability in the Sourcecodester Web-based Pharmacy Product Management System version 1.0. The flaw exists in the Supplier Name input field on the /product_expiry/add-supplier.php page, where user-supplied input is not properly sanitized or encoded before being reflected in the web application’s output. This allows an attacker to inject malicious JavaScript code that executes in the browsers of users who view the affected page, potentially leading to session hijacking, theft of cookies, or manipulation of displayed data. The vulnerability is remotely exploitable over the network without requiring authentication, but it does require user interaction (e.g., a user visiting a crafted URL or page). The CVSS 3.1 base score of 6.1 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, but user interaction needed. The scope is changed (S:C), indicating the vulnerability can affect resources beyond the vulnerable component. The confidentiality and integrity impacts are low, while availability is not affected. No known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-79, a common and well-understood web application security issue. Given the nature of the affected system—a pharmacy product management platform—successful exploitation could lead to unauthorized access to supplier information or manipulation of product expiry data, which could indirectly impact operational integrity and patient safety.

For European organizations, particularly those in the healthcare and pharmaceutical sectors using the Sourcecodester Pharmacy Product Management System, this vulnerability poses a risk to the confidentiality and integrity of supplier and product data. Attackers could exploit the XSS flaw to hijack user sessions, steal sensitive information, or inject malicious scripts that alter displayed data, potentially disrupting inventory management or expiry tracking. This could lead to operational inefficiencies, regulatory compliance issues, and reputational damage. Although availability is not directly impacted, the indirect effects of data manipulation could affect patient safety and supply chain reliability. The vulnerability’s requirement for user interaction means phishing or social engineering could be used to lure users into triggering the exploit. European healthcare providers are subject to strict data protection regulations (e.g., GDPR), so exploitation could also result in legal and financial penalties. The absence of known active exploits provides a window for proactive mitigation, but the medium severity and scope change indicate a meaningful risk that should not be ignored.

To mitigate CVE-2025-65215, organizations should implement strict input validation and output encoding on the Supplier Name field to neutralize malicious scripts. Employing context-aware encoding (e.g., HTML entity encoding) before rendering user input in the web interface is critical. Deploy Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the affected endpoint. Conduct regular security assessments and code reviews focusing on user input handling in the application. Educate users about phishing risks to reduce the chance of successful social engineering attacks that could trigger the vulnerability. Monitor web server and application logs for unusual requests or script injection attempts. Coordinate with the vendor or development team to obtain patches or updates addressing this vulnerability as soon as they become available. If patching is delayed, consider isolating or restricting access to the vulnerable module to trusted users only. Additionally, implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers.