Login Sign Up

CVE-2025-60314

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

Configuroweb Sistema Web de Inventario 1.0 has a stored XSS vulnerability in the product name parameter that allows authenticated attackers to inject malicious JavaScript. This affects all users of this inventory management system version 1.0. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:
  • Configuroweb Sistema Web de Inventario
Versions: 1.0
Operating Systems: Any OS running PHP/MySQL web server
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable. Requires PHP/MySQL environment.

📦 What is this software?

Simple Web Inventory System by Configuroweb

View all CVEs affecting Simple Web Inventory System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator session cookies, gains full system control, exfiltrates all inventory data, and compromises user accounts through session hijacking.

🟠

Likely Case

Authenticated low-privilege user injects XSS payloads to steal other users' session cookies, leading to account takeover and data manipulation.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability is eliminated; stored XSS payloads are rendered harmless as text.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access. GitHub repository contains proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub repository for updates

Vendor Advisory: https://github.com/configuroweb/inventariobasico

Restart Required: No

Instructions:

1. Download latest version from GitHub repository. 2. Replace vulnerable files. 3. Ensure proper input validation is implemented for product name parameter.

🔧 Temporary Workarounds

Input Sanitization Filter

PHP

Add server-side input validation to strip/escape HTML/JavaScript from product name parameter

// PHP example: $product_name = htmlspecialchars($_POST['product_name'], ENT_QUOTES, 'UTF-8');

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads in product name parameter
  • Disable product name editing functionality for non-admin users

🔍 How to Verify

Check if Vulnerable:

Test by entering <script>alert('XSS')</script> in product name field and check if script executes when viewing product list

Check Version:

Check version in application interface or source code comments

Verify Fix Applied:

Attempt same XSS payload; it should be displayed as plain text without script execution

📡 Detection & Monitoring

Log Indicators:

  • Unusual product names containing script tags or JavaScript code in database/logs
  • Multiple failed login attempts followed by product creation/modification

Network Indicators:

  • HTTP POST requests to product endpoints with script payloads in parameters

SIEM Query:

source="web_logs" AND (uri="/product" OR uri="/inventory") AND (param="product_name" OR param="Nombre:Producto") AND (content="<script>" OR content="javascript:")

📊 Metadata

CVE ID: CVE-2025-60314
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.07% exploit probability (21.3th percentile)
Published: October 8, 2025
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60314, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)