CVE-2019-25262
Unknown Unknown - Not Provided
Cross-Site Scripting in Razgover Chat Message Handler

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: VulDB

Description
A security vulnerability has been detected in elinicksic Razgover up to db37dfc5c82f023a40f2f7834ded6633fb2b5262. This affects an unknown part of the file Chattify/send.php of the component Chat Message Handler. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is 995dd89d0e3ec5522966724be23a5d58ca1bdac3. Applying a patch is advised to resolve this issue. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25262
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elinicksic razgover *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25262 is a cross-site scripting (XSS) vulnerability in the Razgover application, specifically in the Chat Message Handler component (file Chattify/send.php). It occurs because the 'msg' argument is not properly sanitized, allowing attackers to inject malicious scripts that execute in other users' browsers. This can be exploited remotely and requires some user interaction. The vulnerability arises from improper neutralization of user input during web page generation. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to inject and execute malicious scripts in the context of your users' browsers. This can lead to compromised user sessions, unauthorized actions performed on behalf of users, or the theft of sensitive information. Although the severity is considered low to moderate (CVSS score around 3.5), it affects the integrity of the application and can be exploited remotely. Applying the patch that sanitizes inputs and improves session management is advised to mitigate these risks. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable file Chattify/send.php and testing the 'msg' parameter for cross-site scripting (XSS) vulnerabilities. One method is to use Google dorking with queries like 'inurl:Chattify/send.php' to identify potentially vulnerable targets. Additionally, manual or automated testing tools can be used to inject scripts into the 'msg' parameter to see if they are executed, indicating the presence of the vulnerability. [2]

Mitigation Strategies

The immediate mitigation step is to apply the patch available at commit 995dd89d0e3ec5522966724be23a5d58ca1bdac3 on GitHub. This patch sanitizes inputs to prevent XSS attacks, improves session and access control, and adds bot protection via Google reCAPTCHA v3. Since the product is no longer supported, applying this patch is critical to resolve the issue. Additionally, enforcing proper input validation and access control can help mitigate the risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart