CVE-2025-11291
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in ixmaps website2017 up to 0c71cffa0162186bc057a76766bc97e9f5a3a2d0. This impacts an unknown function of the file /map.php of the component HTTP GET Request Handler. Performing manipulation of the argument trid results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11291
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ixmaps website2017 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11291 is a reflected Cross-Site Scripting (XSS) vulnerability in the ixmaps website, specifically in the /map.php file's HTTP GET request handler. It occurs due to improper handling of the 'trid' parameter, allowing an attacker to inject and execute arbitrary JavaScript code in the browser of users who visit the site. This happens because the website reflects user input without proper sanitization or encoding, enabling remote attackers to craft malicious URLs that execute scripts in victims' browsers. [1, 2, 3]

Impact Analysis

This vulnerability can allow remote attackers to execute arbitrary JavaScript code in the context of the affected website on a victim's browser. Potential impacts include session hijacking, defacement of the website, redirecting users to malicious sites, and other malicious actions performed through the injected scripts. Exploitation requires only user interaction and no authentication, making it relatively easy to exploit remotely. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by testing the /map.php endpoint with specially crafted HTTP GET requests that manipulate the 'trid' parameter to include JavaScript payloads. One method is to use curl or similar tools to send requests with payloads and observe if the response reflects the injected script without proper sanitization. Additionally, Google dorking with the query "inurl:map.php" can help identify vulnerable targets. Example command: curl -v "https://targetsite.com/map.php?trid=<script>alert(1)</script>" and check if the response contains the injected script. [2, 3]

Mitigation Strategies

Immediate mitigation steps include avoiding use of the affected component or replacing it with an alternative product, as no known mitigations or patches are available. Additionally, applying input validation and output encoding on the 'trid' parameter to neutralize malicious scripts can help. Restricting user input and employing web application firewalls (WAF) to detect and block malicious payloads targeting the 'trid' parameter may reduce risk until a fix is available. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11291. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart