CVE-2025-25189 MEDIUM

CVE-2025-25189: [XBOW-025-031] Reflected Cross-Site Scripting via jobid Parameter in ZOO-Project WPS publish.py CGI Script

Vendor Zoo-Project
Product ZOO-Project
Weakness CWE-79 · XSS
Published February 10, 2025
Last update February 11, 2025
View on NVD All CVEs

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

What the vulnerability does

01Description

The ZOO-Project is an open source processing platform. A reflected Cross-Site Scripting vulnerability exists in the ZOO-Project Web Processing Service (WPS) publish.py CGI script prior to commit 7a5ae1a. The script reflects user input from the `jobid` parameter in its HTTP response without proper HTML encoding or sanitization. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. The vulnerability occurs because the CGI script directly outputs the query string parameters into the HTML response without escaping HTML special characters. An attacker can inject malicious JavaScript code through the `jobid` parameter which will be executed when rendered by the victim's browser. Commit 7a5ae1a contains a fix for the issue.

Key dates

02Disclosure timeline

February 10, 2025 CVE published
February 11, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-41810 Script injection in M-Files Admin CVE-2021-24810 WP Event Manager < 3.1.23 - Admin+ Stored Cross-Site Scripting CVE-2023-45065 WordPress Bulk NoIndex & NoFollow Toolkit Plugin <= 1.42 is vulnerable to Cross Site Scripting (XSS) CVE-2025-59592 WordPress Make Column Clickable Elementor Plugin <= 1.6.0 - Cross Site Scripting (XSS) Vulnerability CVE-2025-49400 WordPress WP Visitor Statistics (Real Time Traffic) Plugin <= 8.2 - Cross Site Scripting (XSS) Vulnerability