CVE-2025-60302 – CVE-2025-60302 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2025-60302?

CVE-2025-60302 has a CVSS score of 6.1 (MEDIUM). CVE-2025-60302 is a stored cross-site scripting (XSS) vulnerability in code-projects Client Details System 1.0 that allows attackers to inject malicious JavaScript into the username field when adding customer information. This affects all users of the vulnerable software version who access the compromised interface. The injected scripts execute in victims' browsers when they view the malicious content.

📋 TL;DR

CVE-2025-60302 is a stored cross-site scripting (XSS) vulnerability in code-projects Client Details System 1.0 that allows attackers to inject malicious JavaScript into the username field when adding customer information. This affects all users of the vulnerable software version who access the compromised interface. The injected scripts execute in victims' browsers when they view the malicious content.

💻 Affected Systems

Products:

code-projects Client Details System

Versions: 1.0

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation when adding customer information through the username field.

📦 What is this software?

Client Details System by Fabian

View all CVEs affecting Client Details System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware through drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the application interface through injected content.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting the specific vulnerable field.

🌐 Internet-Facing: HIGH - Web applications with XSS vulnerabilities exposed to the internet are prime targets for automated scanning and exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to add customer information, suggesting some level of authentication may be needed. The GitHub reference may contain technical details but not a full public exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for updated version

Vendor Advisory: http://code-projects.com

Restart Required: No

Instructions:

1. Check code-projects.com for security updates. 2. Apply the latest patch or upgrade to a fixed version. 3. Verify the fix by testing the username field for XSS vulnerabilities.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to reject or sanitize JavaScript in username fields

Implement input validation in the customer information processing code

Output Encoding

all

Apply proper HTML encoding when displaying user-supplied data in the application

Use HTML entity encoding for all user-controlled output

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Restrict access to the customer information interface to trusted users only

🔍 How to Verify

Check if Vulnerable:

Test the username field in the customer information form by attempting to inject basic XSS payloads like <script>alert('XSS')</script>

Check Version:

Check the application version in the admin interface or configuration files

Verify Fix Applied:

Retest the username field with XSS payloads after applying fixes to ensure they are properly sanitized or rejected

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript patterns in username field submissions
Multiple failed login attempts following suspicious username entries

Network Indicators:

HTTP requests containing script tags or JavaScript in username parameters

SIEM Query:

web_requests WHERE url_parameters CONTAINS '<script>' OR url_parameters CONTAINS 'javascript:'

📊 Metadata

CVE ID: CVE-2025-60302

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (20.8th percentile)

Published: October 9, 2025

Last Updated: October 29, 2025

🔗 References

http://code-projects.com Product
https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60302.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60302, you might also want to check these: