Globe Document Intelligence CVE-2025-65640
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross Site Scripting (XSS) vulnerability in the "Task in Progress / Recent" page in Arket Globe Document Intelligence 5.0.0.559 due to improper sanitization of user input in text fields when creating a new document. Specifically, when an authenticated attacker submits data containing JavaScript code within these fields, the application fails to properly sanitize or escape the content. As a result, the injected script is executed when the page is rendered, allowing the attacker to execute arbitrary JavaScript in the context of other users' browsers who view the affected page.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in Arket Globe Document Intelligence 5.0.0.559 enables authenticated low-privilege attackers to inject persistent JavaScript payloads into document text fields, which execute in the browsers of other users viewing the 'Task in Progress / Recent' page. The CVSS High confidentiality impact (C:H) reflects the realistic risk of session token theft or account takeover against higher-privileged users such as administrators. Publicly available exploit code exists on GitHub (vincenzo-emanuele/CVE-2025-65640), and while no CISA KEV listing is present, the SSVC framework confirms exploitation-class proof-of-concept activity.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied input submitted during document creation is neither sanitized nor HTML-escaped before being rendered into the DOM on the 'Task in Progress / Recent' page, resulting in stored XSS. The attack surface is the document management workflow of Arket Globe Document Intelligence, a document intelligence platform. Because the payload persists server-side and fires on page render for any visiting user, this is a stored (persistent) XSS variant - more impactful than reflected XSS since it does not require tricking a victim into clicking a crafted link. The CPE string provided (cpe:2.3:a:n/a:n/a) is generic and not product-specific, so affected version identification relies exclusively on the CVE description citing version 5.0.0.559.
RemediationAI
No vendor-released patch has been identified at time of analysis. Organizations should monitor the Arket vendor site (https://www.arket.it/) for a patched release addressing this stored XSS. As compensating controls: implement a strict Content Security Policy (CSP) header with 'script-src self' to block inline script execution - note this may break legitimate functionality and requires application testing before deployment. Deploy WAF rules targeting XSS payloads (script tags, JavaScript event handler attributes) on document creation endpoints; this reduces risk but may cause false positives on legitimate rich-text content. Restrict document creation privileges to the minimum necessary set of users, reducing the pool of potential attackers. The public PoC at https://github.com/vincenzo-emanuele/CVE-2025-65640 can be used to validate whether compensating controls are effective before a vendor patch is available.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today