CVE-2025-12335 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-12335?

CVE-2025-12335 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to inject malicious scripts into the supplier_update.php page of code-projects E-Commerce Website 1.0 through the supp_name or supp_address parameters. When administrators or other users view the affected page, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. Only systems running this specific e-commerce software are affected.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the supplier_update.php page of code-projects E-Commerce Website 1.0 through the supp_name or supp_address parameters. When administrators or other users view the affected page, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. Only systems running this specific e-commerce software are affected.

💻 Affected Systems

Products:

code-projects E-Commerce Website

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the supplier_update.php file accessible. The vulnerability exists in the default installation with no special configuration required.

📦 What is this software?

E Commerce Website by Fabian

View all CVEs affecting E Commerce Website →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain administrative access to the e-commerce platform, modify product data, access customer information, or deface the website.

🟠

Likely Case

Attackers will likely use this to steal session cookies from administrators or users viewing supplier pages, potentially leading to account compromise and limited data exposure.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing web applications, making them accessible to any attacker.

🏢 Internal Only: MEDIUM - If the application is only accessible internally, risk is reduced but still present from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

The exploit has been publicly disclosed and requires the attacker to have access to submit supplier data or trick someone with access to submit malicious input. Basic web application testing tools can easily detect and exploit this vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch is available. Consider implementing input validation and output encoding as described in workarounds, or migrating to a supported e-commerce platform.

🔧 Temporary Workarounds

Implement Input Validation and Output Encoding

PHP

Add server-side validation to sanitize supp_name and supp_address parameters, and implement proper output encoding when displaying these values.

Edit /pages/supplier_update.php to add: htmlspecialchars($_POST['supp_name'], ENT_QUOTES, 'UTF-8'); and htmlspecialchars($_POST['supp_address'], ENT_QUOTES, 'UTF-8');

Restrict Access to Supplier Pages

PHP

Implement authentication and authorization checks to ensure only authorized users can access supplier management functions.

Add session validation at the beginning of supplier_update.php: if(!isset($_SESSION['admin_logged_in']) || $_SESSION['admin_logged_in'] !== true) { header('Location: login.php'); exit(); }

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious input patterns.
Disable or remove the supplier_update.php file if supplier management functionality is not required.

🔍 How to Verify

Check if Vulnerable:

Test by submitting HTML/JavaScript payloads in the supp_name or supp_address fields when updating supplier information and checking if they execute when the page is viewed.

Check Version:

Check the software version in the admin panel or review the installation documentation. This vulnerability only affects version 1.0.

Verify Fix Applied:

After implementing fixes, test with the same payloads to ensure they are properly sanitized and displayed as text rather than executing as scripts.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /pages/supplier_update.php with script tags or JavaScript in parameters
Multiple failed attempts to access supplier pages without proper authentication

Network Indicators:

HTTP requests containing <script> tags or JavaScript functions in supp_name or supp_address parameters
Traffic patterns showing exploitation attempts from known malicious IPs

SIEM Query:

source="web_logs" AND (url="/pages/supplier_update.php" AND (param="supp_name" OR param="supp_address") AND (value="*<script>*" OR value="*javascript:*"))

📊 Metadata

CVE ID: CVE-2025-12335

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: October 28, 2025

Last Updated: October 31, 2025

🔗 References

https://code-projects.org/ Product
https://figshare.com/s/3e547f5ef85470696c2a Exploit,Third Party Advisory
https://vuldb.com/?ctiid.330122 Permissions Required,VDB Entry
https://vuldb.com/?id.330122 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.674485 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12335, you might also want to check these: