CVE-2025-12251
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in OpenWGA 7.11.12 Build 737. This impacts an unknown function of the component Admin UI. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12251
EUVD
EUVD-2025-36132
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openwga admin_client 7.11.12
openwga admin_ui 7.11.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-12251 is a cross-site scripting (XSS) vulnerability in OpenWGA 7.11.12 Build 737's Admin UI component. It occurs because the Admin Client stores untrusted input in administrator-facing fields without proper encoding. When these stored inputs are displayed, malicious scripts can execute in the browser of a higher-privileged user, allowing an attacker with low privileges to run arbitrary scripts within that user's session. [2, 3]

Impact Analysis

This vulnerability can allow an attacker with low privileges to execute arbitrary JavaScript in the context of a higher-privileged user's session. This can lead to session hijacking or other malicious actions, compromising the integrity of the affected web interface and potentially allowing unauthorized actions within the Admin UI. [2, 3]

Detection Guidance

This vulnerability can be detected by checking for the presence of OpenWGA version 7.11.12 Build 737 Admin UI component and testing for stored cross-site scripting (XSS) by injecting scripts into administrator-facing fields such as names, titles, or descriptions. Since a proof-of-concept exploit is publicly available on GitHub, you can use it to verify if your system is vulnerable. Specific detection commands are not provided in the resources. [2, 3]

Mitigation Strategies

There are no known patches or vendor-provided mitigations available for this vulnerability. Immediate steps include restricting access to the Admin UI to trusted users only, avoiding use of the affected OpenWGA version, and considering replacing the affected product with an alternative. Monitoring for suspicious activity and applying strict input validation or output encoding where possible may help reduce risk. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12251. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart