CVE-2025-52204
Cross-Site Scripting in Znuny::ITSM 6.5.x customer.pl Endpoint
Publication date: 2026-03-23
Last updated on: 2026-03-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| znuny | znuny | 6.5.9 |
| znuny | znuny | 7.1.3 |
| znuny | znuny | 7.0.11 |
| znuny | znuny | From 7.2.0 (inc) to 7.3.0 (exc) |
| znuny | znuny | From 6.5.9 (inc) to 6.5.18 (inc) |
| znuny | znuny | 6.5.19 |
| znuny | znuny | 7.3.1 |
| znuny | itsm | 6.5 |
| znuny | znuny | 6.5 |
| znuny | znuny | 7.0 |
| znuny | znuny | 7.1 |
| znuny | znuny | 7.2 |
| znuny | znuny | From 6.5.19 (inc) |
| znuny | znuny | From 7.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52204 is a Reflected Cross-Site Scripting (XSS) and HTML Injection vulnerability in Znuny, specifically affecting the customer.pl endpoint.
The vulnerability allows unauthenticated remote attackers to inject arbitrary JavaScript or HTML via a parameter defined by the system configuration variable CustomerPanelSessionName, commonly known as OTRSCustomerInterface.
This means that an attacker can craft a malicious URL that, when visited by a user, causes the application to execute attacker-controlled scripts in the victimβs browser.
How can this vulnerability impact me? :
This vulnerability can have several impacts including:
- Injection of arbitrary HTML or JavaScript into the HTTP response.
- Manipulation of the customer-facing login interface.
- Display of deceptive or phishing-style content to users.
- Redirecting users to attacker-controlled resources.
- Execution of malicious scripts in the victimβs browser within the context of the affected application.
The attack requires no authentication and can be performed remotely via crafted GET requests, making it easier for attackers to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests targeting the customer.pl endpoint, specifically looking for requests that include the OTRSCustomerInterface parameter with suspicious or crafted payloads.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools like curl or wget to test the endpoint with a crafted payload can help verify if the vulnerability exists.'}, {'type': 'list_item', 'content': "Example curl command to test for reflected XSS: curl -v 'http://your-znuny-instance/otrs/customer.pl?OTRSCustomerInterface=<script>alert(1)</script>'"}, {'type': 'list_item', 'content': 'Check web server logs for GET requests to /otrs/customer.pl or /znuny/customer.pl containing suspicious script tags or unusual parameter values.'}, {'type': 'list_item', 'content': 'Use intrusion detection systems or web application firewalls (WAF) to alert on requests containing typical XSS payload patterns targeting the OTRSCustomerInterface parameter.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary and most effective mitigation is to upgrade Znuny to the fixed versions: Znuny LTS 6.5.19 or Znuny 7.3.1, where the vulnerability has been patched.
In addition to upgrading, you should review and restrict public exposure of the customer-facing interface to reduce the attack surface.
Monitor incoming requests targeting the customer.pl endpoint for suspicious activity and consider applying local configuration hardening, although this may not fully mitigate the issue without the vendor fix.