CVE-2025-40695
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Online Fire Reporting System v1.2 allows authenticated attackers to inject malicious scripts via 'remark', 'status', and 'takeaction' parameters. This could lead to session cookie theft when an authenticated user views the compromised request details. Organizations using PHPGurukul's Online Fire Reporting System v1.2 are affected.
💻 Affected Systems
- PHPGurukul Online Fire Reporting System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the system, manipulate fire reports, and potentially compromise the entire system.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access sensitive fire reporting data, and modify system records.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to data integrity issues.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable endpoint; stored XSS payloads persist until cleaned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - check vendor advisory
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-phpgurukuls-online-fire-reporting-system
Restart Required: No
Instructions:
1. Check vendor advisory for patch details. 2. Apply vendor-provided patch. 3. Validate input sanitization in request-details.php. 4. Test functionality after patching.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side validation and HTML encoding for user inputs in the vulnerable parameters.
Modify /ofrs/admin/request-details.php to sanitize 'remark', 'status', and 'takeaction' inputs using htmlspecialchars() or similar functions.
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Restrict access to the /ofrs/admin/ directory to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Test by submitting a simple XSS payload like <script>alert('XSS')</script> in the 'remark' field via POST to /ofrs/admin/request-details.php and check if it executes when viewing the page.Check Version:
Check the system version in the admin panel or review the software documentation/configuration files.Verify Fix Applied:
After patching, repeat the XSS test; the payload should be displayed as plain text or blocked, not executed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /ofrs/admin/request-details.php with script tags or JavaScript in parameters.
- Multiple failed login attempts followed by successful access to the admin panel.
Network Indicators:
- HTTP traffic containing malicious script payloads in POST data to the vulnerable endpoint.
SIEM Query:
source="web_logs" AND uri="/ofrs/admin/request-details.php" AND (post_data LIKE "%<script>%" OR post_data LIKE "%javascript:%")