CVE-2025-40694

Name of the Vulnerable Software and Affected Versions Online Fire Reporting System version 1.2

Description The Online Fire Reporting System contains a stored cross-site scripting (XSS) issue. This is due to insufficient validation of user-supplied fromdate and todate parameters via a POST request to the /ofrs/admin/bwdates-report-result.php API endpoint. A remote user could exploit this to send a malicious query to an authenticated user and potentially steal their cookie session details.

Recommendations Online Fire Reporting System version 1.2: Implement proper validation of the fromdate and todate parameters in the /ofrs/admin/bwdates-report-result.php endpoint to prevent the injection of malicious scripts.