CVE-2025-13484: Unveiling XSS in Campcodes Beauty Parlor System

Overview

CVE-2025-13484 describes a Cross-Site Scripting (XSS) vulnerability discovered in Campcodes Complete Online Beauty Parlor Management System version 1.0. This vulnerability affects the /admin/customer-list.php file and can be exploited remotely by manipulating the Name argument. Due to its relatively low CVSS score, this vulnerability is categorized as a low-severity risk, but it still warrants attention and mitigation to prevent potential exploitation.

Technical Details

The vulnerability lies within the /admin/customer-list.php script. The application fails to properly sanitize user-supplied input to the Name parameter. An attacker can inject malicious JavaScript code into this parameter. When a user (typically an administrator) accesses the /admin/customer-list.php page, the injected script will be executed in their browser. This could allow the attacker to steal cookies, redirect the user to a malicious website, or deface the application.

The specific code affected is within the part of customer-list.php that handles displaying customer names. Due to insufficient input validation, HTML and script tags are not escaped or filtered.

CVSS Analysis

The vulnerability has been assigned a CVSS score of 2.4, indicating a low severity. This score reflects several factors:

• Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely.
• Attack Complexity (AC): High (H) – Exploitation requires specific knowledge of the application and the vulnerability.
• Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
• User Interaction (UI): Required (R) – The user needs to visit the infected page.
• Scope (S): Unchanged (U) – An exploited vulnerability can only affect resources managed by the same security authority.
• Confidentiality Impact (C): None (N) – There is no impact to confidentiality.
• Integrity Impact (I): Low (L) – There is a limited impact on integrity.
• Availability Impact (A): None (N) – There is no impact to availability.

Despite the low score, even low-severity vulnerabilities can be chained with other vulnerabilities to create more significant attacks.

Possible Impact

While the CVSS score is low, the potential impact should not be completely dismissed. A successful XSS attack could allow an attacker to:

• Steal administrator cookies and hijack their session.
• Deface the website.
• Redirect users to phishing pages or other malicious websites.
• Potentially gain unauthorized access to sensitive information, depending on the administrator’s privileges.

Mitigation and Patch Steps

To mitigate this vulnerability, the following steps are recommended:

1. Input Validation and Sanitization: Implement robust input validation and sanitization on the Name parameter in /admin/customer-list.php. All user-supplied input should be properly escaped before being displayed on the page. Use appropriate escaping functions for HTML output.
2. Output Encoding: Encode output to prevent the browser from interpreting user-supplied data as code.
3. Web Application Firewall (WAF): Consider implementing a Web Application Firewall (WAF) to filter out malicious requests.
4. Update Software: Check Campcodes’ official website for any available patches or updates for the Beauty Parlor Management System. Apply these updates as soon as possible.

References

• GitHub Issue: Vulnerability Report
• VulDB: CVE-2025-13484 Details (CII)
• VulDB: CVE-2025-13484 Details (ID)
• Campcodes Official Website