Login Sign Up

CVE-2025-63713

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in SourceCodester MatchMaster 1.0 allows attackers to inject malicious scripts into test titles and matching pair items. When users execute tests containing this malicious content, the scripts run in their browsers, potentially stealing session cookies or performing unauthorized actions. All users of MatchMaster 1.0 who create or execute custom tests are affected.

💻 Affected Systems

Products:
  • SourceCodester MatchMaster
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the custom test creation feature where user input is not sanitized before DOM rendering.

📦 What is this software?

Matching Type Test by Remyandrade

View all CVEs affecting Matching Type Test →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over administrative accounts, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, perform unauthorized actions on behalf of users, or display phishing content.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized and rendered as harmless text.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires creating or modifying tests, which typically requires authentication. The vulnerability is in the test execution phase where crafted content is rendered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement input validation and output encoding in the application code.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to reject or sanitize HTML/script content in test titles and matching pair items.

Implement Output Encoding

all

Encode user input before rendering in the DOM using appropriate encoding functions for HTML contexts.

🧯 If You Can't Patch

  • Disable custom test creation feature entirely
  • Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Create a test with title containing <script>alert('XSS')</script> and execute it. If alert pops up, system is vulnerable.

Check Version:

Check application version in admin panel or source code documentation

Verify Fix Applied:

After implementing fixes, repeat the test creation with malicious payload. Alert should not execute and payload should be displayed as text.

📡 Detection & Monitoring

Log Indicators:

  • Unusual test creation patterns
  • Test titles containing script tags or JavaScript code

Network Indicators:

  • HTTP requests with script payloads in POST data to test creation endpoints

SIEM Query:

source="web_logs" AND (uri="/create-test" OR uri="/save-test") AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-63713
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.09% exploit probability (24.6th percentile)
Published: November 7, 2025
Last Updated: November 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63713, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)