CVE-2025-8337 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the Simple Car Rental System developed by code-projects. The vulnerability arises from improper handling of the 'car_name' parameter in the /admin/add_vehicles.php script. Specifically, the application fails to adequately sanitize or encode user-supplied input for this parameter, allowing an attacker to inject malicious scripts. This vulnerability is exploitable remotely without authentication, although it requires user interaction to trigger the malicious payload. The CVSS 4.0 base score is 4.8, indicating a medium severity level. The vector string indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:H indicates high privileges, but this conflicts with the description; likely a data inconsistency), and user interaction is required (UI:P). The impact on confidentiality is none, integrity is low, and availability is none. The vulnerability does not affect system confidentiality or availability but can impact integrity by enabling script injection that could lead to session hijacking, defacement, or redirection to malicious sites. No patches or known exploits in the wild have been reported yet. The vulnerability disclosure date is July 30, 2025. Given that the affected component is an administrative interface, exploitation could lead to significant impacts if an attacker successfully convinces an administrator to interact with a crafted link or input, potentially compromising administrative sessions or injecting malicious scripts into the admin panel interface.

For European organizations using the Simple Car Rental System version 1.0, this vulnerability poses a risk primarily to the integrity of the administrative interface. Successful exploitation could allow attackers to execute arbitrary scripts in the context of an administrator's browser session, potentially leading to session hijacking, unauthorized actions within the admin panel, or distribution of malware to other users. While the vulnerability does not directly compromise confidentiality or availability, the indirect effects could include unauthorized modification of vehicle data or rental records, undermining business operations and trust. Given the nature of the application—car rental management—such disruptions could affect customer service and operational continuity. Additionally, regulatory frameworks such as GDPR require organizations to maintain secure processing of personal data; exploitation of this vulnerability could lead to data integrity issues and potential compliance violations if personal data is manipulated or exposed through subsequent attacks. The medium severity score suggests that while the threat is not critical, it should be addressed promptly to prevent exploitation, especially in environments where the administrative interface is exposed or accessible over the internet.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the 'car_name' parameter within the /admin/add_vehicles.php script. Specifically, all user-supplied data should be sanitized to remove or encode HTML special characters to prevent script injection. Employing a web application firewall (WAF) with rules to detect and block XSS payloads targeting this endpoint can provide an additional layer of defense. Restricting access to the administrative interface through network segmentation, VPNs, or IP whitelisting will reduce exposure to remote attackers. Administrators should be trained to recognize suspicious links or inputs that could trigger XSS attacks. Since no official patch is currently available, organizations should consider applying custom patches or code reviews to remediate the vulnerability. Regular security assessments and penetration testing focusing on the admin interface can help identify residual or related vulnerabilities. Finally, monitoring logs for unusual activity around the /admin/add_vehicles.php endpoint can aid in early detection of exploitation attempts.