CVE-2025-63640 – CVE-2025-63640 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2025-63640?

CVE-2025-63640 has a CVSS score of 6.1 (MEDIUM). CVE-2025-63640 is a stored cross-site scripting (XSS) vulnerability in Sourcecodester Medicine Reminder App v1.0 that allows attackers to inject malicious JavaScript into medicine reminder entries. When victims view or interact with compromised reminders, the attacker's code executes in their browser session. This affects all users of the vulnerable application version.

📋 TL;DR

CVE-2025-63640 is a stored cross-site scripting (XSS) vulnerability in Sourcecodester Medicine Reminder App v1.0 that allows attackers to inject malicious JavaScript into medicine reminder entries. When victims view or interact with compromised reminders, the attacker's code executes in their browser session. This affects all users of the vulnerable application version.

💻 Affected Systems

Products:

Sourcecodester Medicine Reminder App

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation with no special configuration required. Any deployment using the vulnerable source code is affected.

📦 What is this software?

Medicine Reminder App by Rems

View all CVEs affecting Medicine Reminder App →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or deploy ransomware-like browser attacks against authenticated users.

🟠

Likely Case

Attackers would typically steal session tokens to hijack user accounts, potentially accessing personal health information or modifying medication reminders.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payloads would be rendered harmless as plain text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to have an account or trick an authenticated user into creating malicious reminders. The vulnerability is simple to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Download the latest version from Sourcecodester if available. 2. Replace vulnerable files with patched versions. 3. Test the application functionality.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and HTML encoding for all user inputs in the Medicine Reminder App

Implement input validation in JavaScript: function sanitizeInput(input) { return input.replace(/[<>"']/g, ''); }

Content Security Policy (CSP)

all

Implement a strict Content Security Policy header to prevent execution of inline JavaScript

Add HTTP header: Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Disable the application until a secure version is available

🔍 How to Verify

Check if Vulnerable:

Test by entering <script>alert('XSS')</script> in Medicine Name or Notes fields when creating a reminder and check if alert executes

Check Version:

Check the application's version in the source code or documentation files

Verify Fix Applied:

Attempt the same XSS payload and verify it's displayed as plain text rather than executing

📡 Detection & Monitoring

Log Indicators:

Unusual long input strings in medicine reminder creation logs
HTML/JavaScript patterns in user input fields

Network Indicators:

HTTP requests containing script tags or JavaScript in POST data to reminder creation endpoints

SIEM Query:

source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=") AND uri_path="/reminder/create"

📊 Metadata

CVE ID: CVE-2025-63640

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (18.3th percentile)

Published: November 7, 2025

Last Updated: November 17, 2025

🔗 References

https://github.com/ChuckBartowski7/Vulnerability-Research/blob/main/CVE-2025-63640/README.md Exploit,Mitigation,Third Party Advisory
https://www.sourcecodester.com/javascript/18402/medicine-reminder-app-using-html-css-and-javascript-source-code.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63640, you might also want to check these: