Skip to main content

CobbleStone Contract Management CVE-2025-56320

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-10-17 cve@mitre.org
5.4
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L confirmed by need for authenticated account to post chat; UI:R because victim must view the stored payload; S:C reflects cross-user browser context impact; no availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 15:30 vuln.today

DescriptionCVE.org

CobbleStone Enterprise Contract Management Portal v.22.4.0 is vulnerable to Stored Cross-Site Scripting (XSS) in its chat box component. This allows a remote attacker to execute arbitrary code. NOTE: the Supplier reports that this is "Present only in an obsolete, unsupported version no longer in circulation."

AnalysisAI

Stored Cross-Site Scripting in CobbleStone Enterprise Contract Management Portal v22.4.0 allows a low-privileged, authenticated remote attacker to inject persistent malicious scripts into the application's chat box component. When a victim user views the chat, the injected script executes in their browser session, enabling session hijacking, credential theft, or in-application action forgery scoped to the vulnerable system. Notably, the vendor has disclosed that v22.4.0 is an obsolete, unsupported version no longer in active distribution, which substantially narrows the real-world attack surface. No public exploit identified at time of analysis, though a researcher writeup on Medium constitutes partial technical disclosure.

Technical ContextAI

CobbleStone Enterprise Contract Management Portal is a commercial contract lifecycle management (CLM) platform. The vulnerability resides in the chat box component - a user-generated content surface - and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation, 'Stored XSS'). The root cause is failure to sanitize or encode attacker-controlled input before persisting it to the database and later rendering it in other users' browser contexts. The affected CPE is inferred from the description as cpe:/a:cobblestonesoftware:enterprise_contract_management:22.4.0. The CVSS Scope:Changed (S:C) metric confirms the injected payload breaks out of the originating user's session context and affects victims' browsers as a secondary trust boundary. The 'RCE' tag in source intelligence is a misnomer - this is client-side JavaScript execution within the browser DOM, not server-side remote code execution.

Affected ProductsAI

CobbleStone Enterprise Contract Management Portal version 22.4.0 is confirmed affected per the CVE description and researcher disclosure. The vendor explicitly states this version is obsolete and unsupported and no longer in active distribution. No CPE string was formally registered in the NVD record; the affected product is identifiable as the CobbleStone Software enterprise CLM platform at the specific version cited. No other versions are confirmed affected or unaffected from available data. The vendor product page is available at https://www.cobblestonesoftware.com/products/enterprise-contract-management-software but does not provide a version-specific advisory.

RemediationAI

The primary remediation is upgrading from the end-of-life v22.4.0 to any current, vendor-supported release of CobbleStone Enterprise Contract Management Portal. Vendor-released patch: a specific patched version is not independently confirmed from available references - contact CobbleStone Software directly via their product portal at https://www.cobblestonesoftware.com/products/enterprise-contract-management-software to obtain the current supported release. If immediate upgrade is not feasible, compensating controls include restricting access to the chat box component via application-layer access controls or WAF rules that block script-bearing payloads in chat submission endpoints (noting WAF bypass is possible and this is not a durable fix). Organizations should also enable Content-Security-Policy headers to restrict inline script execution, which reduces XSS impact even if injection occurs. Given the vendor's end-of-life declaration, continued operation of v22.4.0 should be treated as an accepted technical debt risk requiring formal risk acceptance or expedited migration.

Share

CVE-2025-56320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy