CVE-2025-13178 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-13178?

CVE-2025-13178 has a CVSS score of 3.5 (LOW). This vulnerability allows attackers to inject malicious scripts into the first_name and last_name fields of the user profile editor in Bdtask/CodeCanyon SalesERP. The cross-site scripting (XSS) attack can be executed remotely, potentially affecting any user who views a manipulated profile. Organizations using SalesERP up to version 20250728 are vulnerable.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the first_name and last_name fields of the user profile editor in Bdtask/CodeCanyon SalesERP. The cross-site scripting (XSS) attack can be executed remotely, potentially affecting any user who views a manipulated profile. Organizations using SalesERP up to version 20250728 are vulnerable.

💻 Affected Systems

Products:

Bdtask/CodeCanyon SalesERP

Versions: Up to and including 20250728

Operating Systems: All platforms running SalesERP

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the vulnerable component enabled are affected. The vulnerability exists in the default configuration.

📦 What is this software?

Saleserp by Bdtask

View all CVEs affecting Saleserp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or execute arbitrary JavaScript in victims' browsers, potentially leading to full system compromise if combined with other vulnerabilities.

🟠

Likely Case

Attackers will likely use this to steal session cookies and hijack user accounts, potentially gaining unauthorized access to sensitive business data and financial information within the SalesERP system.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited to failed exploitation attempts with no successful script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

The exploit has been published and requires authentication to access the profile editor, but once authenticated, exploitation is trivial. Attackers could combine this with social engineering or credential stuffing to gain initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. The vendor has not responded to disclosure. Consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize first_name and last_name fields, rejecting or encoding special characters.

# Add to PHP processing script:
$first_name = htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8');
$last_name = htmlspecialchars($_POST['last_name'], ENT_QUOTES, 'UTF-8');

WAF Rule Implementation

all

Deploy a web application firewall rule to block XSS payloads in first_name and last_name parameters.

# Example ModSecurity rule:
SecRule ARGS:first_name "@detectXSS" "id:1001,phase:2,deny,status:403,msg:'XSS attempt in first_name'"
SecRule ARGS:last_name "@detectXSS" "id:1002,phase:2,deny,status:403,msg:'XSS attempt in last_name'"

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
Disable or restrict access to the /edit_profile endpoint for non-administrative users.

🔍 How to Verify

Check if Vulnerable:

Test by entering <script>alert('XSS')</script> into first_name or last_name fields in the profile editor and check if script executes when viewing profile.

Check Version:

# Check SalesERP version in admin panel or configuration files
# Typically found in config files or database version tables

Verify Fix Applied:

Attempt the same XSS payload after implementing fixes; the script should not execute and special characters should be properly encoded.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /edit_profile with script tags or JavaScript in parameters
Multiple failed login attempts followed by profile edit requests

Network Indicators:

HTTP requests containing <script> tags in first_name or last_name parameters
Unusual outbound connections from SalesERP server after profile edits

SIEM Query:

source="saleserp_logs" AND (first_name="*<script>*" OR last_name="*<script>*")

📊 Metadata

CVE ID: CVE-2025-13178

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-74

EPSS Score: 0.04% exploit probability (10.4th percentile)

Published: November 14, 2025

Last Updated: November 24, 2025

🔗 References

https://github.com/4m3rr0r/PoCVulDb/issues/2 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.332468 Permissions Required,VDB Entry
https://vuldb.com/?id.332468 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.684820 Third Party Advisory,VDB Entry
https://github.com/4m3rr0r/PoCVulDb/issues/2 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13178, you might also want to check these: