CVE-2025-5713
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isolucoesweb | solucoescoop | to 2025-05-19 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5713 is a Stored Cross-Site Scripting (XSS) vulnerability in the SoluçõesCoop iSoluçõesWEB product, specifically in the flow management feature at the /fluxos-dashboard endpoint. It occurs because the application does not properly sanitize user input in the argument 'Descrição da solicitação' when users create flows or insert messages. This allows attackers to inject malicious JavaScript code that is stored and executed when other users view the infected content. Additionally, there is a related path traversal and forced navigation vulnerability in the profile picture update feature that can be combined with the XSS to redirect users to malicious locations. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to attackers executing arbitrary JavaScript code in the context of the affected web application. Potential impacts include session hijacking, where attackers steal user session cookies to impersonate users; defacement of the web interface; and forced navigation attacks that redirect users to malicious sites. These actions can compromise user accounts, data integrity, and overall security of the application. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /fluxos-dashboard endpoint for stored cross-site scripting (XSS) by injecting JavaScript payloads into the "Descrição da solicitação" argument and observing if the script executes when the content is viewed. Additionally, monitoring HTTP requests and responses for suspicious script injections in this parameter can help detect exploitation attempts. Specific commands are not provided in the resources, but typical detection involves using web application security testing tools like curl or Burp Suite to send payloads and inspect responses. For example, a curl command to test injection might be: curl -X POST -d 'Descrição da solicitação=<script>alert(1)</script>' https://target/fluxos-dashboard and then checking if the script executes when viewing the dashboard. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the affected SoluçõesCoop iSoluçõesWEB product to a fixed version that addresses the vulnerability. Until an upgrade is possible, applying input validation and sanitization on the "Descrição da solicitação" parameter to neutralize malicious scripts can reduce risk. Additionally, restricting user input and implementing Content Security Policy (CSP) headers may help mitigate exploitation. Monitoring and blocking suspicious requests targeting /fluxos-dashboard can also be beneficial. [2]