CVE-2025-70038
Received Received - Intake
Cross-Site Scripting in linagora Twake Enables Code Execution

Publication date: 2026-03-09

Last updated on: 2026-03-13

Assigner: MITRE

Description
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70038
EUVD
EUVD-2025-208438
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linagora twake 2023.q1.1223
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70038 is a vulnerability in linagora Twake version v2023.Q1.1223 related to CWE-79, which involves improper neutralization of input during web page generation.

This flaw allows attackers to inject malicious scripts into web pages generated by the application, leading to cross-site scripting (XSS) attacks.

As a result, attackers can execute arbitrary code within the context of the affected web application.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected web application.

Such execution can lead to unauthorized access to user data and potentially compromise user accounts or sensitive information.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'CVE-2025-70038 is a cross-site scripting (XSS) vulnerability in linagora Twake v2023.Q1.1223 that allows attackers to inject malicious scripts into web pages generated by the application.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can perform manual or automated testing for XSS issues by inputting typical XSS payloads into input fields or URL parameters and observing if the scripts are executed.'}, {'type': 'list_item', 'content': 'Use web vulnerability scanners such as OWASP ZAP or Burp Suite to scan the application for XSS vulnerabilities.'}, {'type': 'list_item', 'content': "Manually test input fields by injecting simple XSS payloads like <script>alert('XSS')</script> and check if the alert is triggered."}, {'type': 'list_item', 'content': 'Use curl or wget commands to send crafted HTTP requests with XSS payloads and analyze the responses for script execution.'}] [1]

Mitigation Strategies

To mitigate CVE-2025-70038, immediate steps include sanitizing and properly encoding all user inputs before rendering them in web pages to prevent script injection.

Additionally, applying any available patches or updates from linagora Twake for version v2023.Q1.1223 is recommended.

If patches are not available, consider implementing web application firewalls (WAF) rules to block common XSS attack patterns.

Educate users and administrators about the risks of XSS and encourage safe browsing practices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70038. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart