CVE-2025-57768 in phproject
Summary
by MITRE • 08/21/2025
Phproject is a high performance full-featured project management system. From 1.8.0 to before 1.8.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Planned Hours field when creating a new project. When sending a POST request to /issues/new/, the value provided in the Planned Hours field is included in the server response without any HTML encoding or sanitization. Because of this, an attacker can craft a malicious payload such as alert(1) and include it in the planned_hours parameter. The server reflects the input directly in the HTML of the project creation page, causing the browser to interpret and execute it. This vulnerability is fixed in 1.8.3.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/21/2025
The vulnerability identified as CVE-2025-57768 represents a critical stored cross-site scripting flaw within the phproject management system affecting versions 1.8.0 through 1.8.2. This vulnerability resides in the Planned Hours field functionality during project creation processes, specifically when handling POST requests to the /issues/new/ endpoint. The flaw stems from insufficient input validation and sanitization mechanisms that fail to properly encode or filter user-supplied data before incorporating it into the server response. The vulnerability manifests when an attacker submits malicious JavaScript code through the planned_hours parameter, which is then reflected back to the browser without proper HTML encoding, creating a persistent XSS vector.
The technical implementation of this vulnerability follows the classic stored XSS pattern where malicious input is first accepted by the application and subsequently stored in the system's database or memory. When other users access the affected page, the stored malicious code executes within their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability specifically targets the Planned Hours field, which is typically used to estimate project work duration, making it a legitimate input field that would not raise immediate suspicion from users or administrators. This makes the attack vector more insidious as users are likely to enter legitimate values while unknowingly injecting malicious code.
The operational impact of this vulnerability extends beyond simple script execution, as it can be exploited to compromise user sessions and potentially escalate privileges within the application. Attackers can leverage this vulnerability to steal authentication cookies, redirect users to malicious websites, or inject additional malicious scripts that persist across multiple user sessions. The vulnerability affects the core project management functionality and represents a significant security risk to organizations relying on phproject for their operational workflows. Given that project management systems often contain sensitive business information and user credentials, the potential for data exfiltration or system compromise is substantial.
Security professionals should note that this vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in web applications, and maps to ATT&CK technique T1566.001 for initial access through malicious web content. The fix implemented in version 1.8.3 demonstrates the importance of proper input sanitization and output encoding in web applications. Organizations should prioritize immediate patching of affected systems and implement additional monitoring for suspicious activity in project creation workflows. The vulnerability also highlights the need for comprehensive security testing of all user-input fields, particularly those that may be displayed in web interfaces without proper sanitization. System administrators should consider implementing additional security controls such as Content Security Policy headers and regular security audits to prevent similar vulnerabilities from emerging in other application components.