CVE-2025-41367
BaseFortify
Publication date: 2025-06-06
Last updated on: 2025-06-06
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-41367 is a stored Cross-Site Scripting (XSS) vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. It allows an attacker who has authenticated with higher than view permissions to store malicious JavaScript code in the device software. This malicious code then executes in the browsers of users who access the affected device, potentially compromising their security. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with sufficient permissions to inject malicious JavaScript that runs in the browsers of users interacting with the device. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities executed in the context of the victim's browser. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate the stored Cross-Site Scripting (XSS) vulnerability CVE-2025-41367 in IDF and ZLF products, you should update the firmware to versions 0.10.0-0C08 or 0.10.0-0D00 or later, where these vulnerabilities have been addressed. Additionally, restrict authentication and permissions to prevent unauthorized execution of commands requiring higher privileges. [1]