CVE-2025-25189 (GCVE-0-2025-25189)
Vulnerability from cvelistv5
Published
2025-02-10 22:05
Modified
2025-02-11 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The ZOO-Project is an open source processing platform. A reflected Cross-Site Scripting vulnerability exists in the ZOO-Project Web Processing Service (WPS) publish.py CGI script prior to commit 7a5ae1a. The script reflects user input from the `jobid` parameter in its HTTP response without proper HTML encoding or sanitization. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. The vulnerability occurs because the CGI script directly outputs the query string parameters into the HTML response without escaping HTML special characters. An attacker can inject malicious JavaScript code through the `jobid` parameter which will be executed when rendered by the victim's browser. Commit 7a5ae1a contains a fix for the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ZOO-Project | ZOO-Project |
Version: < 7a5ae1a |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:18:54.911320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:20:15.078Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-pw7m-p9q7-357p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ZOO-Project",
"vendor": "ZOO-Project",
"versions": [
{
"status": "affected",
"version": "\u003c 7a5ae1a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The ZOO-Project is an open source processing platform. A reflected Cross-Site Scripting vulnerability exists in the ZOO-Project Web Processing Service (WPS) publish.py CGI script prior to commit 7a5ae1a. The script reflects user input from the `jobid` parameter in its HTTP response without proper HTML encoding or sanitization. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. The vulnerability occurs because the CGI script directly outputs the query string parameters into the HTML response without escaping HTML special characters. An attacker can inject malicious JavaScript code through the `jobid` parameter which will be executed when rendered by the victim\u0027s browser. Commit 7a5ae1a contains a fix for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:09:48.628Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-pw7m-p9q7-357p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-pw7m-p9q7-357p"
},
{
"name": "https://github.com/ZOO-Project/ZOO-Project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ZOO-Project/ZOO-Project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac"
}
],
"source": {
"advisory": "GHSA-pw7m-p9q7-357p",
"discovery": "UNKNOWN"
},
"title": "[XBOW-025-031] Reflected Cross-Site Scripting via jobid Parameter in ZOO-Project WPS publish.py CGI Script"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25189",
"datePublished": "2025-02-10T22:05:20.596Z",
"dateReserved": "2025-02-03T19:30:53.399Z",
"dateUpdated": "2025-02-11T15:20:15.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-25189\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-10T22:15:38.190\",\"lastModified\":\"2025-02-11T16:15:52.313\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The ZOO-Project is an open source processing platform. A reflected Cross-Site Scripting vulnerability exists in the ZOO-Project Web Processing Service (WPS) publish.py CGI script prior to commit 7a5ae1a. The script reflects user input from the `jobid` parameter in its HTTP response without proper HTML encoding or sanitization. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. The vulnerability occurs because the CGI script directly outputs the query string parameters into the HTML response without escaping HTML special characters. An attacker can inject malicious JavaScript code through the `jobid` parameter which will be executed when rendered by the victim\u0027s browser. Commit 7a5ae1a contains a fix for the issue.\"},{\"lang\":\"es\",\"value\":\"ZOO-Project es una plataforma de procesamiento de c\u00f3digo abierto. Existe una vulnerabilidad de tipo Cross-Site Scripting reflejado en el script CGI publish.py del Servicio de procesamiento web (WPS) de ZOO-Project antes de el commit 7a5ae1a. El script refleja la entrada del usuario desde el par\u00e1metro `jobid` en su respuesta HTTP sin la codificaci\u00f3n HTML ni la depuraci\u00f3n adecuadas. Cuando una v\u00edctima visita una URL especialmente manipulada que apunta a este endpoint, se puede ejecutar c\u00f3digo JavaScript arbitrario en el contexto de su navegador. La vulnerabilidad se produce porque el script CGI genera directamente los par\u00e1metros de la cadena de consulta en la respuesta HTML sin escapar los caracteres especiales HTML. Un atacante puede inyectar c\u00f3digo JavaScript malicioso a trav\u00e9s del par\u00e1metro `jobid` que se ejecutar\u00e1 cuando lo procese el navegador de la v\u00edctima. El commit 7a5ae1a contiene una soluci\u00f3n para el problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"NONE\",\"vulnerableSystemIntegrity\":\"NONE\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"LOW\",\"subsequentSystemIntegrity\":\"LOW\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/ZOO-Project/ZOO-Project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-pw7m-p9q7-357p\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-pw7m-p9q7-357p\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-25189\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-11T15:18:54.911320Z\"}}}], \"references\": [{\"url\": \"https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-pw7m-p9q7-357p\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-11T15:20:10.172Z\"}}], \"cna\": {\"title\": \"[XBOW-025-031] Reflected Cross-Site Scripting via jobid Parameter in ZOO-Project WPS publish.py CGI Script\", \"source\": {\"advisory\": \"GHSA-pw7m-p9q7-357p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"ZOO-Project\", \"product\": \"ZOO-Project\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 7a5ae1a\"}]}], \"references\": [{\"url\": \"https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-pw7m-p9q7-357p\", \"name\": \"https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-pw7m-p9q7-357p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/ZOO-Project/ZOO-Project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac\", \"name\": \"https://github.com/ZOO-Project/ZOO-Project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The ZOO-Project is an open source processing platform. A reflected Cross-Site Scripting vulnerability exists in the ZOO-Project Web Processing Service (WPS) publish.py CGI script prior to commit 7a5ae1a. The script reflects user input from the `jobid` parameter in its HTTP response without proper HTML encoding or sanitization. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. The vulnerability occurs because the CGI script directly outputs the query string parameters into the HTML response without escaping HTML special characters. An attacker can inject malicious JavaScript code through the `jobid` parameter which will be executed when rendered by the victim\u0027s browser. Commit 7a5ae1a contains a fix for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-10T22:09:48.628Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-25189\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-11T15:20:15.078Z\", \"dateReserved\": \"2025-02-03T19:30:53.399Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-10T22:05:20.596Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…