CVE-2025-63785
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-12-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| onlook | onlook | 0.2.32 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a DOM-based Cross-Site Scripting (XSS) issue in the text editor feature of the Onlook web application version 0.2.32. It happens because user input is not properly sanitized before being inserted into the DOM using innerHTML when editing text. An attacker can exploit this by injecting malicious HTML or script code, which executes within the preview iframe in the user's session.
How can this vulnerability impact me? :
The vulnerability allows an attacker to execute arbitrary scripts in the context of the user's session within the Onlook web application. This can lead to theft of sensitive information, session hijacking, or performing unauthorized actions on behalf of the user.