CVE-2025-56605

The vulnerability is a reflected Cross-Site Scripting (XSS) flaw in the register.php backend script of PuneethReddyHC Event Management System 1.0. The mobile POST parameter is not properly validated or sanitized before being echoed back in the HTTP response, enabling an attacker to inject arbitrary JavaScript code [1].

Exploitation is performed remotely by sending a crafted POST request to backend/register.php with a malicious payload in the mobile parameter. The payload is reflected unsanitized in the response, executing in the victim's browser. No authentication is required, as the registration endpoint is publicly accessible [1].

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, data theft, or defacement. The impact is limited by the browser's same-origin policy but can be chained with other attacks [1].

As of the advisory, no official patch has been released. The recommended mitigation is to sanitize user input using functions like htmlspecialchars() in PHP with appropriate encoding flags before outputting it in the response. Users should apply this fix to the register.php script [1].