Skip to main content

HotelRunner B2B CVE-2025-4294

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-07-22 iletisim@usom.gov.tr
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 18:56 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HotelRunner B2B allows Cross-Site Scripting (XSS).

This issue affects B2B: before 04.06.2025.

AnalysisAI

Cross-site scripting in HotelRunner's B2B platform allows a high-privileged authenticated attacker to inject malicious scripts into web pages viewed by other users. The Changed scope (S:C) in the CVSS vector confirms the injected payload executes in a victim's browser context, enabling session hijacking or credential theft against other platform users. No public exploit code or active exploitation has been identified at time of analysis; the EPSS score of 0.15% (36th percentile) reflects a low probability of widespread exploitation.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to sanitize attacker-controlled input before rendering it as HTML/JavaScript in a browser. In the HotelRunner B2B context, this is a B2B hospitality platform module. The CVSS Scope:Changed indicator is definitional for XSS - the vulnerability crosses the trust boundary from the application server into the victim's browser context. The attack vector is Network (AV:N) with low complexity (AC:L), meaning the injection mechanism is reachable over the internet without special conditions once the attacker holds high-privileged credentials. No CPE string was provided; affected product is identified as HotelRunner B2B versions prior to 04.06.2025.

Affected ProductsAI

HotelRunner B2B is affected in all versions released prior to 04.06.2025. No CPE string was provided in the source data. The vulnerability was disclosed by Turkey's national CERT (USOM/TR-CERT) under advisory TR-25-0169, accessible at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0169 and https://www.usom.gov.tr/bildirim/tr-25-0169. No additional affected platform variants or components were identified in the available intelligence.

RemediationAI

The vendor has released a patched version of HotelRunner B2B dated 04.06.2025; organizations should upgrade to the version released on or after that date. The advisory is published by USOM at https://www.usom.gov.tr/bildirim/tr-25-0169. Exact build or semantic version numbers were not specified in the available data - confirm the patched release identifier directly with HotelRunner. As a compensating control prior to patching, restrict high-privilege B2B platform accounts to trusted personnel only and audit recent admin activity for unexpected content injection. A Content Security Policy (CSP) header restricting inline script execution can reduce XSS impact but does not eliminate the vulnerability and may break legitimate platform functionality - test thoroughly before deployment.

Share

CVE-2025-4294 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy