CVE-2025-55288
BaseFortify
Publication date: 2025-08-18
Last updated on: 2025-09-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kreaweb | genealogy | to 4.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55288 is an Authenticated Reflected Cross-Site Scripting (XSS) vulnerability in the Genealogy PHP application prior to version 4.4.0. It allows an authenticated attacker to inject malicious JavaScript code into query parameters, which is then reflected back and executed in another user's browser session. This can lead to session hijacking, data theft, and manipulation of the user interface. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in your browser session when using the Genealogy application. This can result in session hijacking, where attackers take over your session, theft of sensitive data, and unauthorized changes to the user interface, potentially compromising your data and user experience. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for reflected Cross-Site Scripting (XSS) in the Genealogy application versions prior to 4.4.0. Specifically, an authenticated user can attempt to inject JavaScript code into query parameters or input fields such as search functionality and observe if the input is reflected unsanitized in the web page output. Commands or tools to detect this include using web application security scanners like OWASP ZAP or Burp Suite to intercept and modify requests with typical XSS payloads (e.g., <script>alert(1)</script>) in parameters and inputs. Additionally, manual testing can be done by logging in and injecting scripts in search fields or URL parameters and checking if the script executes in another user's session. There are no specific command-line commands provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade the Genealogy application to version 4.4.0 or later, where the vulnerability is fixed. If upgrading immediately is not possible, it is advised to sanitize or escape all user-supplied content before rendering it in the UI to prevent execution of malicious scripts. Reviewing and securing file storage configurations to prevent unauthorized access to sensitive files is also recommended. The patch includes applying HTML entity encoding (e.g., Laravel's e() function) on all user-generated content and sanitizing inputs such as search queries to strip HTML tags and escape special characters. [1, 2]