CVE-2025-40694 – This stored cross-site scripting vulnerability ... (How to Fix)

Q: What is the severity of CVE-2025-40694?

CVE-2025-40694 has a CVSS score of 5.4 (MEDIUM). This stored cross-site scripting vulnerability in Online Fire Reporting System v1.2 allows authenticated attackers to inject malicious scripts via date parameters. When exploited, it can steal authenticated users' session cookies, potentially leading to account takeover. Only systems running the vulnerable PHPGurukul software are affected.

📋 TL;DR

This stored cross-site scripting vulnerability in Online Fire Reporting System v1.2 allows authenticated attackers to inject malicious scripts via date parameters. When exploited, it can steal authenticated users' session cookies, potentially leading to account takeover. Only systems running the vulnerable PHPGurukul software are affected.

💻 Affected Systems

Products:

PHPGurukul Online Fire Reporting System

Versions: v1.2

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to exploit, but default installations are vulnerable.

📦 What is this software?

Online Fire Reporting System by Phpgurukul

View all CVEs affecting Online Fire Reporting System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access by stealing admin session cookies, potentially compromising the entire system and sensitive fire reporting data.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, manipulate fire reporting data, or perform unauthorized actions within the system.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be neutralized, preventing session theft.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and social engineering to deliver payload to victims.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - check vendor for updates

Vendor Advisory: https://www.phpgurukul.com/

Restart Required: No

Instructions:

1. Contact PHPGurukul for patched version 2. Update to latest version 3. Apply input validation to 'fromdate' and 'todate' parameters

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to only accept valid date formats for 'fromdate' and 'todate' parameters

Implement PHP filter: if(!preg_match('/^\d{4}-\d{2}-\d{2}$/', $_POST['fromdate'])) { die('Invalid date format'); }

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in POST parameters
Add Content Security Policy headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Test by submitting <script>alert('XSS')</script> as 'fromdate' or 'todate' parameter to /ofrs/admin/bwdates-report-result.php

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Verify that script tags in date parameters are properly sanitized or rejected

📡 Detection & Monitoring

Log Indicators:

POST requests to bwdates-report-result.php with script tags or JavaScript in parameters
Unusual date format submissions

Network Indicators:

HTTP POST requests containing script payloads in date fields

SIEM Query:

source="web_logs" AND uri="*bwdates-report-result.php*" AND (param="*<script>*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-40694

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.1th percentile)

Published: September 11, 2025

Last Updated: September 12, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-phpgurukuls-online-fire-reporting-system Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-40694, you might also want to check these: