CVE-2025-61255 – Bank Locker Management System by PHPGurukul con... (How to Fix)

📋 TL;DR

Bank Locker Management System by PHPGurukul contains a reflected Cross-Site Scripting vulnerability in the /search parameter that allows attackers to inject malicious scripts. When exploited, this can lead to session hijacking, credential theft, or redirection to malicious sites. Organizations using this software without input sanitization are affected.

💻 Affected Systems

Products:

Bank Locker Management System by PHPGurukul

Versions: All versions prior to patch

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web interfaces using the vulnerable search functionality

📦 What is this software?

Bank Locker Management System by Phpgurukul

View all CVEs affecting Bank Locker Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, gain full system access, compromise sensitive banking data, and redirect users to phishing sites.

🟠

Likely Case

Session hijacking leading to unauthorized access to locker management functions and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting individual user sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction with malicious link; exploitation depends on user privileges

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown specific version

Vendor Advisory: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/

Restart Required: No

Instructions:

1. Download latest version from PHPGurukul website
2. Replace vulnerable search.php file
3. Implement input validation and output encoding
4. Test search functionality

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to sanitize search parameter

Add input sanitization in search.php: $search = htmlspecialchars($_GET['search'], ENT_QUOTES, 'UTF-8');

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with XSS protection rules
Disable search functionality or restrict access to authenticated users only

🔍 How to Verify

Check if Vulnerable:

Test search parameter with payload: <script>alert('XSS')</script> and check if script executes

Check Version:

Check PHPGurukul version in system documentation or admin panel

Verify Fix Applied:

Retest with same payload; script should be encoded and not execute

📡 Detection & Monitoring

Log Indicators:

Unusual search queries containing script tags or JavaScript code
Multiple failed search attempts with malicious patterns

Network Indicators:

HTTP requests with script tags in search parameter
Unusual redirects from search page

SIEM Query:

source="web_logs" AND uri_path="/search" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-61255

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: October 21, 2025

Last Updated: October 23, 2025

🔗 References

https://github.com/nikhilpatidar01/CVE-Assigned-Reports/blob/Master/CVE-2025-61255/advisory.md Third Party Advisory
https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61255, you might also want to check these: