CVE-2025-70038
Cross-Site Scripting in linagora Twake Enables Code Execution
Publication date: 2026-03-09
Last updated on: 2026-03-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linagora | twake | 2023.q1.1223 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-70038, immediate steps include sanitizing and properly encoding all user inputs before rendering them in web pages to prevent script injection.
Additionally, applying any available patches or updates from linagora Twake for version v2023.Q1.1223 is recommended.
If patches are not available, consider implementing web application firewalls (WAF) rules to block common XSS attack patterns.
Educate users and administrators about the risks of XSS and encourage safe browsing practices.
Can you explain this vulnerability to me?
CVE-2025-70038 is a vulnerability in linagora Twake version v2023.Q1.1223 related to CWE-79, which involves improper neutralization of input during web page generation.
This flaw allows attackers to inject malicious scripts into web pages generated by the application, leading to cross-site scripting (XSS) attacks.
As a result, attackers can execute arbitrary code within the context of the affected web application.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected web application.
Such execution can lead to unauthorized access to user data and potentially compromise user accounts or sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'CVE-2025-70038 is a cross-site scripting (XSS) vulnerability in linagora Twake v2023.Q1.1223 that allows attackers to inject malicious scripts into web pages generated by the application.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can perform manual or automated testing for XSS issues by inputting typical XSS payloads into input fields or URL parameters and observing if the scripts are executed.'}, {'type': 'list_item', 'content': 'Use web vulnerability scanners such as OWASP ZAP or Burp Suite to scan the application for XSS vulnerabilities.'}, {'type': 'list_item', 'content': "Manually test input fields by injecting simple XSS payloads like <script>alert('XSS')</script> and check if the alert is triggered."}, {'type': 'list_item', 'content': 'Use curl or wget commands to send crafted HTTP requests with XSS payloads and analyze the responses for script execution.'}] [1]