CVE-2025-57424
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2025-09-29

Assigner: MITRE

Description
A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which executes in the browser of any user viewing it, including administrators. Due to the absence of the HttpOnly flag on the session cookie, this flaw could be exploited to capture session tokens and hijack user sessions, enabling elevated access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2025-09-29
Generated
2026-06-16
AI Q&A
2025-09-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-57424
EUVD
EUVD-2025-31603
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hbi_consulting mycourts *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) flaw in the MyCourts v3 application, specifically in the LTA number profile field. An attacker can inject malicious JavaScript code into their profile, which then executes in the browsers of any users who view that profile, including administrators. Because the session cookies lack the HttpOnly flag, the injected script can access these cookies, allowing attackers to steal session tokens and hijack user sessions, potentially gaining elevated privileges or full account takeover. [1]

Impact Analysis

This vulnerability can lead to session hijacking by stealing session cookies through injected malicious scripts. Attackers can gain unauthorized access to user accounts, escalate privileges, and potentially take over administrative functions. This compromises the confidentiality and integrity of user data and the application, allowing persistent unauthorized access without re-authentication. [1]

Detection Guidance

This vulnerability can be detected by testing the LTA number field in the user profile for stored XSS payloads. One method is to submit a crafted payload such as "'><script>prompt(document.cookie)</script>" via a POST request to /my_profile_settings_process.asp and then viewing the profile or members directory (/directory.asp) to see if the script executes. Additionally, Web Application Firewalls (WAF) can be used to detect XSS patterns. Network monitoring for suspicious POST requests to /my_profile_settings_process.asp or unexpected JavaScript execution in profile pages can also help detect exploitation attempts. Specific commands could include using curl to POST the payload, for example: curl -X POST -d "LTA_number='><script>prompt(document.cookie)</script>" https://targetsite/my_profile_settings_process.asp and then manually checking the profile page for script execution. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading the MyCourts application to the August 2025 release or later, which contains the fix. Additionally, implement strict input validation to accept only numerical input in the LTA number field, apply proper output encoding (HTML escaping) of user-supplied data, and set the HttpOnly attribute on session cookies to prevent JavaScript access. Deploying a strict Content Security Policy (CSP) to block inline scripts and using a whitelist approach for input filtering are also recommended. Using a Web Application Firewall (WAF) to detect and block XSS attempts can provide additional protection. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57424. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart