CVE-2025-49590
BaseFortify
Publication date: 2025-06-18
Last updated on: 2025-08-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | cryptpad | to 2025.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-692 | The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability could allow an attacker to execute malicious javascript code via crafted URIs, potentially leading to Cross-Site Scripting (XSS) attacks. This can result in unauthorized actions, data theft, or session hijacking within the CryptPad collaboration environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade CryptPad to version 2025.3.0 or later, as this version contains the patch that fixes the Link Bouncer bypass vulnerability.
Can you explain this vulnerability to me?
This vulnerability in CryptPad's "Link Bouncer" feature allows a maliciously crafted javascript URI to bypass the intended filtering meant to prevent Cross-Site Scripting (XSS) attacks. The bypass occurs because of an "early allow" code path that processes the URI before its protocol or scheme is checked. This flaw was fixed in version 2025.3.0.