CVE-2025-56605 PoC — PuneethReddyHC Event Management 安全漏洞

Source

https://github.com/Userr404/CVE-2025-56605

Associated Vulnerability

Title:PuneethReddyHC Event Management 安全漏洞 (CVE-2025-56605)
Description:A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. The mobile POST parameter is improperly validated and echoed back in the HTTP response without sanitization, allowing an attacker to inject and execute arbitrary JavaScript code in the victim's browser.

Description

XSS (Cross-Site Scripting Vulnerability)

Readme

# CVE-2025-56605
XSS (Cross-Site Scripting Vulnerability)

# CVE-2025-56605 — Reflected XSS in Event Management System 1.0

**Description:**  
A reflected Cross-Site Scripting (XSS) vulnerability exists in `register.php` of [PuneethReddyHC/event-management](https://github.com/PuneethReddyHC/event-management) 1.0.  
The `mobile` POST parameter is improperly validated and reflected back in the response, allowing injection of arbitrary JavaScript code.

**CVE ID:** CVE-2025-56605  
**Discovered by:** Isroil Mustafoqulov  
**Vulnerability type:** Reflected XSS  
**Attack vector:** Remote  

**Steps to reproduce (local only):**
1. Clone the project and run it locally.  
2. Send a crafted POST request to `backend/register.php` with a malicious payload in the `mobile` parameter.  
3. The payload is reflected unsanitized in the response.  

> ⚠️ Payloads are intentionally omitted. Do not attempt exploitation on systems you do not own.  

**Mitigation:**  
Sanitize/encode user input before output. Example in PHP:  
```php
echo htmlspecialchars($_POST['mobile'], ENT_QUOTES, 'UTF-8');

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!