CVE-2025-63528 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

📋 TL;DR

This cross-site scripting (XSS) vulnerability in Blood Bank Management System 1.0 allows attackers to inject malicious JavaScript via the error parameter in blooddinfo.php. When exploited, this can lead to session hijacking, credential theft, or defacement of the blood bank management interface. Organizations using this specific software version are affected.

💻 Affected Systems

Products:

Blood Bank Management System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation when blooddinfo.php component is accessible.

📦 What is this software?

Blood Bank Management System by Shridharshukl

View all CVEs affecting Blood Bank Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of blood bank management system, theft of sensitive medical donor data, session hijacking of administrators, and potential ransomware deployment through browser-based attacks.

🟠

Likely Case

Session hijacking leading to unauthorized access to blood bank records, defacement of the management interface, and theft of administrator credentials.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only minor interface disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple XSS injection via error parameter requires no authentication and has public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Download latest version from GitHub repository if available
2. Replace vulnerable blooddinfo.php file
3. Implement proper input validation and output encoding
4. Test functionality after changes

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to sanitize error parameter

// PHP code to sanitize input:
$error = htmlspecialchars($_GET['error'], ENT_QUOTES, 'UTF-8');

Web Application Firewall Rule

all

Block malicious scripts in error parameter via WAF

WAF rule to block script tags in error parameter:
SecRule ARGS:error "@rx <script" "id:1001,phase:2,deny"

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Restrict access to blooddinfo.php to authenticated administrators only

🔍 How to Verify

Check if Vulnerable:

Test by accessing blooddinfo.php?error=<script>alert('XSS')</script> and check if script executes

Check Version:

Check PHP files for version comments or review system documentation

Verify Fix Applied:

Retest with same payload after implementing fixes - script should not execute

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing script tags in error parameter
Unusual JavaScript execution in blooddinfo.php access logs

Network Indicators:

Malicious script payloads in GET requests to blooddinfo.php

SIEM Query:

source="web_logs" AND uri="*blooddinfo.php*" AND (query="*<script*" OR query="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-63528

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.4th percentile)

Published: December 1, 2025

Last Updated: December 2, 2025

🔗 References

https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing Exploit,Third Party Advisory
https://github.com/Shridharshukl/Blood-Bank-Management-System Product
https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63528.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63528, you might also want to check these: