CVE-2025-40693

Name of the Vulnerable Software and Affected Versions: Online Fire Reporting System version 1.2

Description: The application suffers from a stored cross-site scripting issue due to insufficient validation of user-supplied data. Specifically, the tname parameter via GET, and the teamleadname, teammember, and teamname parameters via POST are not properly sanitized. This allows a remote attacker to inject malicious scripts into the application, potentially stealing an authenticated user's cookie session details. The vulnerability exists at the /ofrs/admin/edit-team.php API endpoint.

Recommendations: Online Fire Reporting System version 1.2: Implement proper input validation and sanitization for the tname parameter via GET, and the teamleadname, teammember, and teamname parameters via POST at the /ofrs/admin/edit-team.php endpoint.