CVE-2025-10348 MEDIUM

CVE-2025-10348: Stored Cross-Site Scripting in URVE Smart Office

Vendor Eveo

Product URVE Smart Office

Weakness CWE-79 · XSS

Published October 30, 2025

Last update October 30, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

URVE Smart Office is vulnerable to Stored XSS in report problem functionality. An attacker with a low-privileged account can upload an SVG file containing a malicious payload, which will be executed when a victim visits the URL of the uploaded resource. The resource is available to anyone without any form of authentication. This issue was fixed in version 1.1.24.

Key dates

02Disclosure timeline

October 30, 2025 CVE published

October 30, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-10348 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2025-10348: Stored Cross-Site Scripting in URVE Smart Office

01Description

02Disclosure timeline

03References

04Related CVE