CVE-2025-8115 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the PHPGurukul Taxi Stand Management System, specifically within the /admin/new-autoortaxi-entry-form.php file. The vulnerability arises from improper sanitization or validation of user-supplied input in the 'registrationnumber' or 'licensenumber' parameters. An attacker can craft malicious input that, when processed by the vulnerable web application, results in the injection and execution of arbitrary JavaScript code in the context of the victim's browser. This vulnerability is exploitable remotely without authentication, although it requires user interaction (e.g., an administrator or user visiting a crafted URL or submitting a form). The disclosed CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges required but partial privileges (PR:L) are needed, user interaction is required, and partial impact on integrity and availability, with no impact on confidentiality. The vulnerability has been publicly disclosed but no known exploits are currently observed in the wild. The Taxi Stand Management System is likely used by taxi companies or municipal transport authorities to manage vehicle registrations and dispatching, making the affected functionality critical for operational integrity and data accuracy. Exploitation could allow attackers to execute scripts that steal session tokens, manipulate displayed data, or perform actions on behalf of authenticated users, potentially leading to unauthorized access or disruption of service.

For European organizations, especially those operating taxi fleets or municipal transport services using PHPGurukul's Taxi Stand Management System, this vulnerability poses a risk of session hijacking, unauthorized data manipulation, and potential disruption of taxi dispatch operations. Given the administrative nature of the vulnerable endpoint, successful exploitation could compromise administrative accounts, leading to broader system misuse or data integrity issues. This could affect service reliability, customer trust, and regulatory compliance, particularly under GDPR if personal data is exposed or manipulated. The medium severity rating reflects moderate risk, but the potential for targeted attacks against transport infrastructure or service providers in Europe could elevate operational risks. Additionally, the remote exploitability without elevated privileges increases the attack surface, especially if administrative users are tricked into interacting with malicious content.

Organizations should immediately review and sanitize all inputs on the /admin/new-autoortaxi-entry-form.php page, specifically the 'registrationnumber' and 'licensenumber' parameters, to ensure proper encoding and validation against XSS payloads. Implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts. Restricting access to the administrative interface through network segmentation, VPNs, or IP whitelisting will reduce exposure. Regularly updating the PHPGurukul Taxi Stand Management System to patched versions once available is critical. In the absence of official patches, applying web application firewall (WAF) rules to detect and block suspicious input patterns targeting these parameters can provide interim protection. Training administrative users to recognize phishing or social engineering attempts that could lead to user interaction with malicious payloads is also recommended. Finally, monitoring logs for unusual activity around the vulnerable endpoint can help detect exploitation attempts early.