Skip to content

Reflected XSS in Look and feel section of the application

Moderate
mschering published GHSA-xv2x-v374-92gv Jun 16, 2025

Package

No package listed

Affected versions

<=6.8.120, 20.0.23

Patched versions

>=25.0.27, 6.8.123

Description

Summary

A malicious JavaScript payload is executed on Look and Feel formatting fields.

Details

Any user can update their Look and Feel Formatting input fields. The web applications do not sanitize user input. That is why inputting JavaScript causes the reflected xss vulnerability.

PoC

  • Login with your username and password
  • Goto My account > Look and feel
  • In the Formatting sections > List seperator = <img src=0 onerror=alert(1)>
  • Click Save
  • The JavaScript payload is executed.

Impact

This may lead to

  • Session hijacking using phishing attacks
  • Exfiltrate sensitive user data

Severity

Moderate

CVE ID

CVE-2025-48993

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits