CVE-2025-70844
Cross-Site Scripting in yaffa v2.0.0 Account Group Function
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kantorge | yaffa | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70844 is a stored Cross-Site Scripting (XSS) vulnerability in yaffa version 2.0.0. It allows an attacker to inject malicious JavaScript code into the "Add Account Group" function on the account-group page. When other users view this page, the injected script executes in their browser context.
How can this vulnerability impact me? :
This vulnerability can lead to execution of arbitrary scripts in the browsers of users who view the affected page. This can compromise user security by enabling actions such as stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of the user.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a stored Cross-Site Scripting (XSS) in the "Add Account Group" function on the account-group page of yaffa v2.0.0. Detection involves checking for malicious JavaScript code injected into this function.
Since this is a web application vulnerability, detection can be done by inspecting the account-group page for unexpected or suspicious script tags or JavaScript code in the account group names or descriptions.
Automated scanning tools for XSS vulnerabilities can be used against the affected page.
Specific commands are not provided in the resources, but general approaches include using web vulnerability scanners like OWASP ZAP or Burp Suite to test the "Add Account Group" input for script injection.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the "Add Account Group" function until a patch or fix is applied.
Implement input validation and output encoding on the account-group page to prevent injection and execution of malicious scripts.
Update yaffa to a version where this vulnerability is fixed once available.
Restrict access to the affected page to trusted users only to minimize exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in yaffa v2.0.0 impacts compliance with common standards and regulations such as GDPR or HIPAA.