CVE-2025-0423 MEDIUM

CVE-2025-0423: Multiple Unauthenticated Stored Cross-Site Scripting

Vendor Cordaware

Product bestinformed Web

Weakness CWE-20 · Input validation

Published February 18, 2025

Last update February 18, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

In the "bestinformed Web" application, some user input was not properly sanitized. This leads to multiple unauthenticated stored cross-site scripting vulnerabilities. An unauthenticated attacker is able to compromise the sessions of users on the server by injecting JavaScript code into their session using an "Unauthenticated Stored Cross-Site Scripting". The attacker is then able to ride the session of those users and can abuse their privileges on the "bestinformed Web" application.

Key dates

02Disclosure timeline

February 18, 2025 CVE published

February 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-0423 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2025-0423: Multiple Unauthenticated Stored Cross-Site Scripting

01Description

02Disclosure timeline

03References

04Related CVE