Login Sign Up

CVE-2025-9922

4.3 MEDIUM
Cross-Site Scripting

📋 TL;DR

Campcodes Sales and Inventory System 1.0 contains a cross-site scripting (XSS) vulnerability in the /index.php file's page parameter. Attackers can inject malicious scripts that execute in users' browsers when they visit manipulated URLs. This affects all users of the vulnerable system who access the affected functionality.

💻 Affected Systems

Products:
  • Campcodes Sales and Inventory System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation. All deployments using version 1.0 are affected.

📦 What is this software?

Sales And Inventory System by Campcodes

View all CVEs affecting Sales And Inventory System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deliver malware through the compromised web application.

🟠

Likely Case

Attackers will typically use this to steal session cookies or credentials, potentially leading to account takeover and unauthorized access to the sales/inventory system.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be neutralized before reaching users' browsers, preventing exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit has been publicly disclosed and requires no authentication. Attackers can craft malicious URLs containing JavaScript payloads in the page parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

Check the vendor website for security updates. If no patch is available, implement input validation and output encoding in /index.php to sanitize the page parameter.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to restrict the page parameter to expected values only

Add Output Encoding

all

Apply proper HTML encoding to the page parameter before outputting to prevent script execution

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with XSS protection rules
  • Restrict access to the system to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Test by accessing /index.php?page=<script>alert('XSS')</script> and checking if the script executes

Check Version:

Check the system's about page or documentation for version information

Verify Fix Applied:

Retest the same payload after implementing fixes to ensure no script execution occurs

📡 Detection & Monitoring

Log Indicators:

  • Unusual page parameter values containing script tags or JavaScript in web server logs

Network Indicators:

  • HTTP requests to /index.php with suspicious parameters containing script elements

SIEM Query:

source="web_server" AND uri="/index.php" AND (param="page" AND value CONTAINS "script" OR value CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-9922
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (10th percentile)
Published: September 3, 2025
Last Updated: September 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9922, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)