CVE-2025-40641

Vulnerability

Overview CVE-2025-40641 is a stored cross-site scripting (XSS) vulnerability in the Multi-Purpose Inventory Management System. The vulnerability arises from insufficient validation of user input in the product_name parameter when processing POST requests to the /Controller_Products/update endpoint. This allows an attacker to inject arbitrary JavaScript code that is stored and later executed in the browsers of other users [1].

Exploitation

Prerequisites To exploit this vulnerability, an attacker must have network access to the application and the ability to send a crafted POST request with malicious content in the product_name parameter. The attack requires an authenticated user to view the page where the stored payload is rendered. The stored XSS can be triggered without any additional user interaction beyond normal browsing [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, enabling the attacker to impersonate the victim and perform actions on their behalf within the application. The CVSS v4.0 base score is 5.1 (Medium), with the vector indicating low privileges required and user interaction needed [1].

Mitigation

Status As of the publication date, no official patch or remediation has been reported by the vendor. Users are advised to implement input validation and output encoding for the product_name parameter or apply web application firewall rules to mitigate the risk [1].