Skip to main content

CVE-2025-6778: Cross Site Scripting in code-projects Food Distributor Site

Medium
VulnerabilityCVE-2025-6778cvecve-2025-6778
Published: Fri Jun 27 2025 (06/27/2025, 20:31:07 UTC)
Source: CVE Database V5
Vendor/Project: code-projects
Product: Food Distributor Site

Description

A vulnerability, which was classified as problematic, was found in code-projects Food Distributor Site 1.0. Affected is an unknown function of the file /admin/save_settings.php. The manipulation of the argument site_phone/site_email/address leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 06/27/2025, 20:54:33 UTC

Technical Analysis

CVE-2025-6778 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the code-projects Food Distributor Site, specifically within the /admin/save_settings.php file. The vulnerability arises from improper sanitization or validation of user-supplied input in the parameters site_phone, site_email, and address. An attacker can manipulate these input fields to inject malicious scripts that execute in the context of an authenticated administrator's browser session. The vulnerability is remotely exploitable without requiring authentication, but user interaction is necessary, as the attack vector involves tricking an administrator into visiting a crafted URL or submitting manipulated data. The CVSS 4.0 base score is 4.8, indicating a medium severity level. The attack complexity is low, and no privileges are required to initiate the attack, but the attack requires user interaction. The vulnerability does not impact confidentiality or availability significantly but can lead to limited integrity issues and potential session hijacking or unauthorized actions within the admin interface. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. The lack of available patches or mitigations from the vendor at this time elevates the urgency for organizations using this software to implement compensating controls.

Potential Impact

For European organizations using the code-projects Food Distributor Site version 1.0, this vulnerability poses a risk primarily to the integrity of administrative operations and potentially to the confidentiality of administrative sessions. Successful exploitation could allow attackers to execute arbitrary scripts in the context of an administrator, leading to session hijacking, unauthorized changes to site settings, or distribution of malicious content to other users. Given that the vulnerability affects the administrative interface, the impact could extend to operational disruptions or data manipulation within the food distribution business processes. While the vulnerability does not directly affect availability or cause data breaches, the indirect consequences of compromised administrative control could be significant, especially for organizations handling sensitive customer or supplier information. The medium severity rating suggests that while the risk is not critical, it should not be ignored, especially in regulated industries or where compliance with data protection laws such as GDPR is mandatory.

Mitigation Recommendations

Since no official patches or updates are currently available from the vendor, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the /admin/save_settings.php endpoint through network-level controls such as IP whitelisting or VPN-only access to limit exposure to trusted administrators. 2) Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the site_phone, site_email, and address parameters. 3) Educating administrators about the risk of clicking on untrusted links or submitting unverified data to the admin interface to reduce the likelihood of successful user interaction exploitation. 4) Conducting regular security audits and input validation reviews on all administrative input fields to identify and remediate similar vulnerabilities proactively. 5) Monitoring logs for unusual activity related to the affected parameters or admin interface access patterns. 6) Planning for an upgrade or migration to a patched or alternative solution once available to eliminate the vulnerability permanently.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-27T11:18:23.303Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 685f01806f40f0eb7266be80

Added to database: 6/27/2025, 8:39:28 PM

Last enriched: 6/27/2025, 8:54:33 PM

Last updated: 7/13/2025, 9:10:20 AM

Views: 24

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats