CVE-2025-2495 MEDIUM

CVE-2025-2495: Stored Cross-Site Scripting (XSS) vulnerability in Softdial Contact Center

Vendor Sytel Ltd
Product Softdial Contact Center
Weakness CWE-79 · XSS
Published March 18, 2025
Last update March 18, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to upload XML files to the server with JavaScript code injected via the ‘/softdial/scheduler/save.php’ resource. The injected code will execute when the uploaded file is loaded via the ‘/softdial/scheduler/load.php’ resource and can redirect the victim to malicious sites or steal their login information to spoof their identity.

Key dates

02Disclosure timeline

March 18, 2025 CVE published
March 18, 2025 Record updated