Cross-Site Scripting Vulnerability in CampCodes DepEd Equipment Inventory System
CVE-2025-0348

5.3MEDIUM

Key Information:

Vendor
Campcodes
Status
Deped Equipment Inventory System
Vendor
CVE Published:
9 January 2025

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

A cross-site scripting vulnerability has been identified in CampCodes DepEd Equipment Inventory System version 1.0. The flaw is located in the /data/add_employee.php file, where user input is not adequately sanitized. This oversight allows attackers to inject malicious scripts, potentially compromising user data and sessions. The exploitation of this vulnerability can occur remotely, making it a serious security concern for users of the system. The vulnerability has been made public, highlighting the need for immediate corrective measures to ensure system integrity and user safety.

Affected Version(s)

DepEd Equipment Inventory System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-0348 - Proof of Concept

References

https://vuldb.com/?id.290861
vdb-entrytechnical-description
https://vuldb.com/?ctiid.290861
signaturepermissions-required
https://vuldb.com/?submit.476908
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

John Correche (VulDB User)
.