CVE-2025-14662 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-14662?

CVE-2025-14662 has a CVSS score of 2.4 (LOW). This vulnerability allows attackers to inject malicious scripts into the Student File Management System's update user page. When exploited, it enables cross-site scripting attacks that could steal session cookies or redirect users. Administrators and users accessing the affected /admin/update_user.php page are at risk.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the Student File Management System's update user page. When exploited, it enables cross-site scripting attacks that could steal session cookies or redirect users. Administrators and users accessing the affected /admin/update_user.php page are at risk.

💻 Affected Systems

Products:

code-projects Student File Management System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the vulnerable /admin/update_user.php component accessible.

📦 What is this software?

Student File Management System by Fabian

View all CVEs affecting Student File Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full system access, and compromise all student data including sensitive personal information.

🟠

Likely Case

Attackers hijack user sessions, redirect to phishing sites, or deface the update user page with malicious content.

🟢

If Mitigated

Script execution is blocked by modern browser XSS protections, limiting impact to basic page manipulation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub and vuldb.com, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or implement workarounds.

🔧 Temporary Workarounds

Input Sanitization

all

Add proper input validation and output encoding to /admin/update_user.php

Edit update_user.php to sanitize all user inputs using htmlspecialchars() or similar functions

Access Restriction

all

Restrict access to admin pages to trusted IP addresses only

Add .htaccess rules or web server configuration to limit /admin/ directory access

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with XSS protection rules
Disable or remove the /admin/update_user.php component if not needed

🔍 How to Verify

Check if Vulnerable:

Test /admin/update_user.php with XSS payloads like <script>alert('test')</script> in user input fields

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Verify that script tags are properly encoded in output and do not execute

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/update_user.php with script tags or JavaScript code
Multiple failed login attempts followed by successful admin access

Network Indicators:

HTTP requests containing script tags or encoded JavaScript in parameters
Unexpected redirects from the update user page

SIEM Query:

source="web_server" AND (url="/admin/update_user.php" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-14662

CVSS v3 Score: 2.4 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.4th percentile)

Published: December 14, 2025

Last Updated: December 16, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/jjjjj-zr/jjjjjzr15/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.336394 Permissions Required,VDB Entry
https://vuldb.com/?id.336394 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.713873 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14662, you might also want to check these: