XSS (Cross-Site Scripting Vulnerability)# CVE-2025-56605
XSS (Cross-Site Scripting Vulnerability)
# CVE-2025-56605 — Reflected XSS in Event Management System 1.0
**Description:**
A reflected Cross-Site Scripting (XSS) vulnerability exists in `register.php` of [PuneethReddyHC/event-management](https://github.com/PuneethReddyHC/event-management) 1.0.
The `mobile` POST parameter is improperly validated and reflected back in the response, allowing injection of arbitrary JavaScript code.
**CVE ID:** CVE-2025-56605
**Discovered by:** Isroil Mustafoqulov
**Vulnerability type:** Reflected XSS
**Attack vector:** Remote
**Steps to reproduce (local only):**
1. Clone the project and run it locally.
2. Send a crafted POST request to `backend/register.php` with a malicious payload in the `mobile` parameter.
3. The payload is reflected unsanitized in the response.
> ⚠️ Payloads are intentionally omitted. Do not attempt exploitation on systems you do not own.
**Mitigation:**
Sanitize/encode user input before output. Example in PHP:
```php
echo htmlspecialchars($_POST['mobile'], ENT_QUOTES, 'UTF-8');
[4.0K] /data/pocs/2313fd2d0b67996223e04f1fb7a74573356ca055
└── [1.1K] README.md
0 directories, 1 file