Login Sign Up

CVE-2025-14221

3.5 LOW
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the First Name/Last Name fields of SourceCodester Online Banking System 1.0, enabling cross-site scripting attacks. The vulnerability affects all users of this specific banking system version and can be exploited remotely without authentication.

💻 Affected Systems

Products:
  • SourceCodester Online Banking System
Versions: 1.0
Operating Systems: Any OS running the web application
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Banking System by Oretnom23

View all CVEs affecting Banking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to account takeover and financial fraud.

🟠

Likely Case

Attackers will likely use this to steal session cookies and hijack user accounts, potentially accessing banking information and performing unauthorized transactions.

🟢

If Mitigated

With proper input validation and output encoding, the risk is reduced to minimal, though the vulnerable endpoint remains exposed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit is publicly available and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and output encoding as a temporary fix.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize First Name and Last Name inputs, rejecting or encoding special characters.

Enable Content Security Policy

all

Implement CSP headers to restrict script execution from unauthorized sources.

🧯 If You Can't Patch

  • Deploy a Web Application Firewall (WAF) with XSS protection rules
  • Restrict access to the vulnerable endpoint using network segmentation or authentication

🔍 How to Verify

Check if Vulnerable:

Test the /?page=user endpoint by injecting script payloads into First Name/Last Name parameters and checking if they execute.

Check Version:

Check the application's version in its configuration files or admin panel.

Verify Fix Applied:

Verify that script injections in First Name/Last Name fields are properly sanitized and do not execute in the browser.

📡 Detection & Monitoring

Log Indicators:

  • Unusual length or special characters in First Name/Last Name parameters in web server logs

Network Indicators:

  • HTTP requests to /?page=user with script tags or JavaScript in parameters

SIEM Query:

source="web_server" AND uri="/?page=user" AND (param="First Name" OR param="Last Name") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-14221
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (10.4th percentile)
Published: December 8, 2025
Last Updated: December 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14221, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)