CVE-2025-5974 in Restaurant Table Booking Systeminfo

Summary

by MITRE • 06/10/2025

A vulnerability, which was classified as problematic, has been found in PHPGurukul Restaurant Table Booking System 1.0. Affected by this issue is some unknown functionality of the file /check-status.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/11/2025

The vulnerability identified as CVE-2025-5974 represents a critical cross site scripting flaw within the PHPGurukul Restaurant Table Booking System version 1.0. This security weakness resides in the /check-status.php file and specifically affects the searchdata argument handling mechanism. The vulnerability classification as problematic indicates a significant security risk that could potentially compromise user sessions and data integrity within the affected web application. The issue stems from inadequate input validation and output encoding practices that fail to properly sanitize user-supplied data before processing and rendering within the application's response.

The technical exploitation of this vulnerability occurs through manipulation of the searchdata parameter within the check-status.php script. When an attacker submits malicious input through this parameter, the application fails to properly escape or filter the data before incorporating it into dynamic web content. This allows attackers to inject malicious javascript code that executes in the context of other users' browsers who view the affected page. The cross site scripting vulnerability enables attackers to perform actions such as session hijacking, defacement of web content, or redirection to malicious sites. The remote attack vector means that exploitation can occur without requiring physical access to the target system or network, making it particularly dangerous for web applications that are publicly accessible.

The operational impact of this vulnerability extends beyond simple data theft or content manipulation. Attackers could leverage this flaw to establish persistent access to the web application by stealing session cookies or performing unauthorized actions within the booking system. The disclosure of the exploit to the public community significantly increases the risk exposure as malicious actors can readily implement the attack without requiring advanced technical skills. This vulnerability directly impacts the confidentiality, integrity, and availability of the restaurant booking system, potentially affecting customer data privacy and the overall reputation of the organization operating the service. The vulnerability affects the core functionality of the application's search capabilities, which is fundamental to the system's operation and user experience.

Mitigation strategies for CVE-2025-5974 should prioritize immediate implementation of input validation and output encoding controls. The most effective approach involves sanitizing all user inputs through proper validation routines and implementing context-specific output encoding before rendering any user-supplied data. The application should employ strict parameter validation for the searchdata argument and apply appropriate html entity encoding to prevent javascript execution. Additionally, implementing content security policies and using secure coding practices such as those recommended by the owasp top ten project would significantly reduce the attack surface. The system administrators should also consider implementing web application firewalls and monitoring for suspicious activities related to the affected endpoint. Regular security audits and code reviews should be conducted to identify similar vulnerabilities in other parts of the application, as this represents a common class of flaws that can be addressed through proper defensive programming practices. This vulnerability aligns with CWE-79 which specifically addresses cross site scripting flaws, and the attack pattern corresponds to techniques described in the ATT&CK framework under web application attacks and credential access categories.

Responsible

VulDB

Disclosure

06/10/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00250

KEV

no

Activities

very low

Sector

Hospital

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!