CVE-2025-52203

Name of the Vulnerable Software and Affected Versions DevaslanPHP project-management version 1.2.4

Description A stored cross-site scripting (XSS) issue exists in DevaslanPHP project-management version 1.2.4. The vulnerability is located in the Ticket Name field, which does not properly sanitize user input. An authenticated attacker can inject malicious JavaScript payloads into this field. These payloads are stored in the database and executed in a user's browser context when the user logs in and is redirected to the Dashboard panel upon authentication.

Recommendations Update DevaslanPHP project-management to a version that addresses this issue. As a temporary workaround, sanitize all user input for the Ticket Name field to prevent the injection of malicious scripts.