A cross-site scripting (XSS) vulnerability exists in the search-autootaxi.php endpoint of the ATSMS web application. The application fails to properly sanitize user input submitted through a form field, allowing an attacker to inject arbitrary JavaScript code. The malicious payload is stored in the backend and executed when a user or administrator accesses the affected report page. This allows attackers to exfiltrate session cookies, hijack user sessions, and perform unauthorized actions in the context of the victims browser.

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-57145
• https://github.com/nandanacp/CVE-Collection/blob/main/CVE-2025-57145/README.md
• http://auto.com
• http://phpgurukul.com