Key Information Summary Vulnerability Overview CVE ID: CVE-2025-61454 Disclosure Date: October 13, 2025 Severity: MEDIUM (CVSS v3.1 Score: 6.1) Vulnerability Type: Reflected XSS (Cross-Site Scripting) Affected Product Vendor: Independent (Rahsidhya [12]) Project: Ecommerce Version: 1.0 Vulnerable Endpoint: http://localhost/e-commerce-main/search.php Vulnerability Details Description: Unfiltered input in the parameter is directly reflected in the HTML response, allowing injection of arbitrary JavaScript code. Example Request: Expected Result: The browser executes the JavaScript code, displaying an alert box with the value . Impact Execution of arbitrary JavaScript code Phishing or impersonation via HTML injection Session hijacking or token theft Forced browsing to malicious content Credential collection via search form injection Tampering with search results pages Recommended Remediation Use or equivalent to encode all unfiltered output before rendering as HTML. Implement server-side input validation, especially for the parameter. Enforce a strong Content Security Policy (CSP) header to prevent inline script execution. Avoid directly embedding unfiltered user input into HTML responses. Apply context-appropriate output encoding (HTML, JavaScript, URL, CSS). Use modern frameworks that provide automated XSS protection. Timeline Discovery Date: September 16, 2025 Public Disclosure Date: October 13, 2025 Patch Availability: Not available at disclosure Discoverer Tansique Dasari