CVE-2025-66845
Unknown Unknown - Not Provided
Reflected XSS in TechStore 1.0 user_name Endpoint Enables Code Execution

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: MITRE

Description
A reflected Cross-Site Scripting (XSS) vulnerability has been identified in TechStore version 1.0. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim’s browser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66845
EUVD
EUVD-2025-204802
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
techstore techstore 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this reflected Cross-Site Scripting (XSS) vulnerability in TechStore version 1.0 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-66845 is a reflected Cross-Site Scripting (XSS) vulnerability in TechStore version 1.0. It occurs in the /user_name endpoint, where the id query parameter is directly reflected into the HTML response without any output encoding or sanitization. This allows an attacker to inject and execute arbitrary JavaScript code in the victim's browser by crafting a malicious URL containing script code in the id parameter. [1]

Impact Analysis

This vulnerability can lead to client-side attacks such as session hijacking, where an attacker can steal a user's session cookies or perform actions on behalf of the user. It can also enable other malicious activities like defacement, phishing, or spreading malware by executing arbitrary JavaScript in the victim's browser. [1]

Detection Guidance

You can detect this vulnerability by testing the /user_name endpoint with a crafted URL that includes a script tag in the id query parameter, for example: http://127.0.0.1:5001/user_name?id=<script>alert('XSS')</script>. If the script executes in the browser, the vulnerability is present. Using tools like curl or wget to fetch the response and inspecting if the id parameter is reflected without encoding can help detect it. For example, using curl: curl 'http://127.0.0.1:5001/user_name?id=<script>alert(1)</script>' and checking the response HTML for the injected script tag. [1]

Mitigation Strategies

Immediate mitigation steps include implementing proper output encoding or sanitization on the id query parameter in the /user_name endpoint to prevent execution of injected scripts. Refer to the OWASP Cross-Site Scripting Prevention Cheat Sheet for best practices. Additionally, consider applying input validation, using frameworks that automatically escape output, and deploying Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66845. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart