In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).

CVE-2025-53865 is a medium-severity Cross-Site Scripting (XSS) vulnerability identified in the Roundup issue tracking system, specifically in versions prior to 2.5.0. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The issue manifests through the interaction between URLs and issue tracker templates (notably the 'devel' and 'responsive' templates), allowing an attacker to inject malicious scripts into web pages served by Roundup. Exploiting this vulnerability does not require user interaction but does require low privileges (PR:L), meaning an attacker must have some level of authenticated access to the system. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), and no user interaction (UI:N) required. The impact affects confidentiality and integrity (both low impact), but not availability. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could allow an attacker to execute arbitrary JavaScript in the context of the affected Roundup web application, potentially leading to session hijacking, data theft, or unauthorized actions within the tracker interface.

CVE Database V5

Detailed information about CVE-2025-53865: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in roundup-tracker

CVE-2025-53865: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in roundup-tracker Roundup - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-53865: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in roundup-tracker Roundup

A vulnerability classified as critical was found in Campcodes Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /pages/product_update.php. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7538 is a vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically within the /pages/product_update.php file. The vulnerability arises from improper handling of the 'image' parameter, which allows an attacker to perform an unrestricted file upload. This means that an attacker can upload arbitrary files, including potentially malicious scripts, without authentication or user interaction, and remotely. The vulnerability is classified as critical due to the potential for remote exploitation and the ability to upload files that could lead to remote code execution or system compromise. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low to medium, suggesting that while the vulnerability can be exploited remotely, the overall damage depends on the payload uploaded and subsequent attacker actions. No patches or mitigations have been published yet, and no known exploits are currently observed in the wild. However, public disclosure of the exploit details increases the risk of exploitation.

Detailed information about CVE-2025-7538: Unrestricted Upload in Campcodes Sales and Inventory System affecting Campcodes Sales and Inventory System. Get real-t

CVE-2025-7538: Unrestricted Upload in Campcodes Sales and Inventory System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7538: Unrestricted Upload in Campcodes Sales and Inventory System

A vulnerability classified as critical has been found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /pages/product_update.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7537 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically affecting an unspecified portion of the /pages/product_update.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which can be manipulated remotely by an unauthenticated attacker to inject malicious SQL commands. This flaw allows attackers to interfere with the application's database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. Although the CVSS 4.0 score is 6.9, categorized as medium severity, the potential impact on confidentiality, integrity, and availability of the system's data is significant due to the nature of SQL injection attacks. The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The lack of available patches or mitigation guidance from the vendor increases the urgency for affected organizations to implement protective measures. Given that the affected product is a sales and inventory system, exploitation could lead to exposure or manipulation of sensitive business data, including inventory records, sales transactions, and possibly customer information.

Detailed information about CVE-2025-7537: SQL Injection in Campcodes Sales and Inventory System affecting Campcodes Sales and Inventory System. Get real-time up

CVE-2025-7537: SQL Injection in Campcodes Sales and Inventory System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7537: SQL Injection in Campcodes Sales and Inventory System

A vulnerability was found in Campcodes Sales and Inventory System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /pages/receipt_credit.php. The manipulation of the argument sid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7536 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically within the /pages/receipt_credit.php file. The vulnerability arises from improper sanitization of the 'sid' parameter, which can be manipulated by an attacker to inject malicious SQL code. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring any user interaction or privileges. The injection can lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the system's data. Although the CVSS score is 6.9 (medium severity), the vulnerability's characteristics—remote exploitability without authentication and direct impact on database operations—indicate a significant threat. The exploit has been publicly disclosed, increasing the risk of exploitation. No official patches or mitigations have been linked yet, which means affected organizations must rely on immediate defensive measures. The vulnerability affects only version 1.0 of the Campcodes Sales and Inventory System, which is a niche product used for managing sales and inventory data, likely in small to medium enterprises.

Detailed information about CVE-2025-7536: SQL Injection in Campcodes Sales and Inventory System affecting Campcodes Sales and Inventory System. Get real-time up

CVE-2025-7536: SQL Injection in Campcodes Sales and Inventory System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7536: SQL Injection in Campcodes Sales and Inventory System

A vulnerability, which was classified as critical, has been found in code-projects Online Appointment Booking System 1.0. This issue affects some unknown processing of the file /getdoctordaybooking.php. The manipulation of the argument cid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7539: SQL Injection in code-projects Online Appointment Booking System affecting code-projects Online Appointment Booking Sy

CVE-2025-7539: SQL Injection in code-projects Online Appointment Booking System

CVE-2025-7539: SQL Injection in code-projects Online Appointment Booking System

Description

Technical Details

Related Threats

CVE-2025-53865: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in roundup-tracker Roundup

CVE-2025-7538: Unrestricted Upload in Campcodes Sales and Inventory System

CVE-2025-7537: SQL Injection in Campcodes Sales and Inventory System

CVE-2025-7536: SQL Injection in Campcodes Sales and Inventory System

CVE-2025-7535: SQL Injection in Campcodes Sales and Inventory System

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility