CVE-2025-14991 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-14991?

CVE-2025-14991 has a CVSS score of 2.4 (LOW). This CVE describes a cross-site scripting (XSS) vulnerability in Campcodes Complete Online Beauty Parlor Management System 1.0. Attackers can inject malicious scripts via the 'fromdate' parameter in the admin interface, potentially compromising user sessions or stealing credentials. The vulnerability affects all installations of version 1.0 with the vulnerable file present.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in Campcodes Complete Online Beauty Parlor Management System 1.0. Attackers can inject malicious scripts via the 'fromdate' parameter in the admin interface, potentially compromising user sessions or stealing credentials. The vulnerability affects all installations of version 1.0 with the vulnerable file present.

💻 Affected Systems

Products:

Campcodes Complete Online Beauty Parlor Management System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of version 1.0. No special configuration is required for exploitation.

📦 What is this software?

Complete Online Beauty Parlor Management System by Campcodes

View all CVEs affecting Complete Online Beauty Parlor Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, hijack user sessions, deface the website, or redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers inject malicious scripts to steal session cookies or credentials from administrators or users accessing the vulnerable page.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail, and no impact would occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires access to the admin interface but no authentication bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and output encoding in /admin/bwdates-reports-details.php.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and sanitization of the 'fromdate' parameter to prevent XSS payloads.

Edit /admin/bwdates-reports-details.php to validate and sanitize user input for 'fromdate' parameter.

Web Application Firewall (WAF)

all

Deploy a WAF with XSS protection rules to block malicious requests targeting the vulnerable endpoint.

Configure WAF rules to detect and block XSS patterns in the 'fromdate' parameter.

🧯 If You Can't Patch

Restrict access to the /admin/ directory to trusted IP addresses only.
Disable or remove the vulnerable file /admin/bwdates-reports-details.php if not required.

🔍 How to Verify

Check if Vulnerable:

Test the /admin/bwdates-reports-details.php endpoint with a simple XSS payload in the 'fromdate' parameter (e.g., <script>alert('XSS')</script>) and check if it executes.

Check Version:

Check the system version in the admin panel or review the software documentation for version information.

Verify Fix Applied:

After applying fixes, retest with the same XSS payload to ensure it is properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /admin/bwdates-reports-details.php with script tags or encoded payloads in the 'fromdate' parameter.

Network Indicators:

HTTP requests containing malicious scripts in the query string targeting the vulnerable endpoint.

SIEM Query:

source="web_server_logs" AND uri="/admin/bwdates-reports-details.php" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-14991

CVSS v3 Score: 2.4 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: December 21, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/funnnxxx/my-cve/issues/1 Exploit,Issue Tracking
https://vuldb.com/?ctiid.337685 Permissions Required,VDB Entry
https://vuldb.com/?id.337685 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.718458 Third Party Advisory,VDB Entry
https://www.campcodes.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14991, you might also want to check these: