CVE-2025-40696
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Online Fire Reporting System v1.2 allows authenticated attackers to inject malicious scripts into user input fields. When other authenticated users view the compromised reports, their session cookies can be stolen, potentially leading to account takeover. Only systems running the vulnerable PHPGurukul software are affected.
💻 Affected Systems
- PHPGurukul Online Fire Reporting System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system access, manipulate fire reports, and potentially compromise the entire system or pivot to internal networks.
Likely Case
Attackers steal regular user session cookies to impersonate them, submit false fire reports, or access sensitive data within the application.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing session theft.
🎯 Exploit Status
Exploitation requires authenticated access to the reporting system. Attackers must craft malicious payloads for fullname, location, or message parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - check vendor advisory
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-phpgurukuls-online-fire-reporting-system
Restart Required: No
Instructions:
1. Check vendor advisory for patch details. 2. Apply vendor-provided patch. 3. Implement input validation and output encoding. 4. Test the fix thoroughly.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize fullname, location, and message parameters
Add input sanitization in reporting.php before processing POST data
Output Encoding
allApply proper HTML encoding when displaying user-controlled data
Use htmlspecialchars() or similar functions when outputting user data
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Restrict user permissions to minimize impact of session theft
🔍 How to Verify
Check if Vulnerable:
Test by submitting a simple XSS payload like <script>alert('test')</script> in fullname, location, or message fields and check if it executes when viewing reports.Check Version:
Check system documentation or admin panel for version informationVerify Fix Applied:
Attempt the same XSS payload after patching - it should be displayed as plain text, not executed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /ofrs/reporting.php with script tags or JavaScript in parameters
- Multiple failed login attempts followed by successful authentication and report submission
Network Indicators:
- HTTP traffic containing script tags or JavaScript in POST parameters to the vulnerable endpoint
SIEM Query:
source="web_logs" AND (uri_path="/ofrs/reporting.php" AND (param_value="*<script>*" OR param_value="*javascript:*"))