CVE-2025-10869
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-30
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oct8ne | chatbot | 2.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to the theft of sensitive user data such as session cookies or enable attackers to perform unauthorized actions on behalf of the user, compromising user accounts and data security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this Stored Cross-Site Scripting (XSS) vulnerability involves monitoring for suspicious or unexpected JavaScript code in transcripts sent by the Oct8ne Chatbot, especially those sent via email. Since the vulnerability involves malicious script injection in chat transcripts, inspecting outgoing emails for embedded scripts or unusual payloads can help detect exploitation attempts. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Oct8ne Chatbot to the latest version where this vulnerability has been fixed by the development team. Additionally, avoid opening suspicious chat transcript emails and consider implementing email filtering to detect and block messages containing malicious scripts. [1]
Can you explain this vulnerability to me?
CVE-2025-10869 is a Stored Cross-Site Scripting (XSS) vulnerability in Oct8ne Chatbot version 2.3. It allows an attacker to inject malicious JavaScript code into a transcript that is sent by email. When the victim opens this email, the malicious script executes in their browser, potentially compromising their security. [1]