{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-51225", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T16:52:38.428Z", "dateReserved": "2024-10-28T00:00:00.000Z", "datePublished": "2026-03-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T15:26:36.065Z"}, "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the brandname parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Buckdray/vulnerability-research"}, {"url": "https://github.com/Buckdray/vulnerability-research/tree/main/CVE-2024-51225"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:52:33.972950Z", "id": "CVE-2024-51225", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:52:38.428Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-51225", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:52:33.972950Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:52:27.210Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Buckdray/vulnerability-research"}, {"url": "https://github.com/Buckdray/vulnerability-research/tree/main/CVE-2024-51225"}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the brandname parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T15:26:36.065Z"}}}, "cveMetadata": {"cveId": "CVE-2024-51225", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:52:38.428Z", "dateReserved": "2024-10-28T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:vehicle_record_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D6AE144F-2A5F-4F48-899F-732293FA1DB6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the brandname parameter."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) almacenada en el componente /admin/add-brand.php de Phpgurukul Vehicle Record Management System v1.0 permite a los atacantes ejecutar scripts web o HTML arbitrarios mediante la inyecci\u00f3n de una carga \u00fatil manipulada en el par\u00e1metro brandname."}], "id": "CVE-2024-51225", "lastModified": "2026-03-24T18:11:26.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-23T16:16:31.823", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/Buckdray/vulnerability-research"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/Buckdray/vulnerability-research/tree/main/CVE-2024-51225"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 91.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "vehicle_record_management_system", "vendor": "phpgurukul"}], "analysis": {"en": {"generated_at": "2026-03-24T19:30:12.795617+00:00", "value": {"mitigation_remediation": ["Apply the vendor-provided patch or upgrade to the latest version of Vehicle Record Management System.", "Restrict access to /admin/add-brand.php to users with verified administrative rights and enforce strong authentication.", "Sanitize or escape all user input before storing or rendering the brandname value to prevent script execution.", "Implement a strict Content Security Policy that disallows inline scripts and limits script sources.", "Monitor the application logs for anomalous JavaScript injection and conduct regular security testing."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that can execute arbitrary JavaScript in the victim's browser, enabling session hijacking, data theft, or defacement."}, "threat_synthesis": {"affected_systems": "The affected product is the Phpgurukul Vehicle Record Management System, version 1.0. No other vendors or products are identified. The flaw exists only in this specific version unless newer releases address the issue.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw in the /admin/add-brand.php page of the Vehicle Record Management System. An attacker can embed JavaScript or HTML into the brandname field; when an administrator submits the value, it is stored without proper escaping and subsequently rendered to users. This flaw allows arbitrary script execution within any victim's browser session that views the affected page, potentially leading to session hijacking, credential theft, or defacement of the website.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate risk level, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires access to the admin interface, implying that an attacker must be authenticated as an administrator or already possess a valid admin session. Once that condition is met, the attacker can inject malicious payloads into the brandname field, which are stored and later served to any user who views the brand record. The primary attack vector is a web-based form that accepts user-supplied data without proper sanitization."}}}}, "created": "2026-03-24T10:35:05.721968+00:00", "title": "Stored XSS in Phpgurukul Vehicle Record Management System v1.0", "updated": "2026-03-25T14:50:14.803189+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$vehicle_record_management_system"]}