CVE-2025-6268
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability classified as problematic has been found in Luna Imaging up to 7.5.5.6. Affected is an unknown function of the file /luna/servlet/view/search. The manipulation of the argument q leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-19
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-06-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6268
EUVD
EUVD-2025-18687
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Cross-Site Scripting (XSS) flaw in Luna Imaging versions up to 7.5.5.6. It occurs in the search functionality, specifically in the 'q' parameter of the URL path '/luna/servlet/view/search'. An attacker can inject malicious JavaScript code into this parameter, which is then executed in the victim's browser. This allows the attacker to perform actions such as stealing cookies or hijacking sessions by running arbitrary scripts in the context of the user's browser. [1, 2]


How can this vulnerability impact me? :

The vulnerability can impact you by allowing remote attackers to execute arbitrary JavaScript code in your browser when you interact with the affected search functionality. This can lead to session hijacking, cookie theft, or other malicious actions that compromise your data integrity and security. Exploitation requires victim user interaction but does not require attacker authentication. There are no known mitigations or countermeasures, and public exploits exist. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending crafted HTTP GET requests to the affected endpoint `/luna/servlet/view/search` with malicious payloads in the `q` parameter and observing if the payload is reflected and executed in the response. For example, you can use curl to test for XSS by sending a request like: `curl -i 'http://<target>/luna/servlet/view/search?q=<script>alert(1)</script>'` and checking if the script is reflected in the response. Additionally, web vulnerability scanners that test for reflected XSS vulnerabilities on query parameters can be used to detect this issue. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting or disabling access to the vulnerable search functionality if possible, applying input validation and output encoding on the `q` parameter to neutralize malicious scripts, or using web application firewalls (WAF) to block malicious payloads targeting the `q` parameter. Since no vendor patch or official fix is available and the vendor did not respond, consider using alternative products or isolating the affected system to reduce exposure until a fix is available. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart