CVE-2025-63529
Published: 01 December 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-63529 is a session fixation vulnerability in Blood Bank Management System 1.0, affecting the login.php component. It enables an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues using the attacker-supplied session ID rather than generating a new one.
A remote attacker with no privileges can exploit this vulnerability by tricking a user into visiting a malicious link or resource that includes the attacker's controlled session ID, such as via phishing. Once the victim authenticates, the attacker can hijack the session to gain unauthorized access to the victim's account. The issue carries a CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) and is associated with CWE-384.
Mitigation details are available in related advisories and resources, including https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing, https://github.com/Shridharshukl/Blood-Bank-Management-System, and https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63529.md.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a session fixation flaw in the public-facing login.php component of a web application, enabling remote unauthenticated attackers to hijack user sessions after tricking victims into visiting a link with a controlled session ID, directly mapping to exploitation of a public-facing application.