EUVD-2025-17491CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in elfsight elfsight Contact Form widget allows Retrieve Embedded Sensitive Data. This issue affects elfsight Contact Form widget: from n/a through 2.3.1.
AnalysisAI
CVE-2025-31045 is an information disclosure vulnerability in the Elfsight Contact Form widget (versions through 2.3.1) that allows unauthenticated remote attackers to retrieve embedded sensitive data without any user interaction. The vulnerability exposes system information through an unauthorized control sphere, posing a high confidentiality risk with a CVSS score of 7.5. While the specific KEV status and EPSS probability are not provided in available sources, the network-accessible nature (AV:N) with no authentication required (PR:N) and lack of user interaction (UI:N) suggests this is readily exploitable by threat actors.
Technical ContextAI
The vulnerability stems from CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), which occurs when sensitive system-level information is inadvertently exposed to unauthorized entities or control domains. In the Elfsight Contact Form widget context, this likely involves improper access controls or data exposure mechanisms in the widget's backend API or embedded configuration data. The widget, commonly embedded in web pages via JavaScript, appears to expose sensitive embedded configuration, API keys, or system metadata that should be protected. The vulnerability affects the Elfsight Contact Form widget across versions up to and including 2.3.1, with no identified 'from' version specification suggesting all known versions may be vulnerable. This type of exposure is particularly dangerous in SaaS widget deployments where multiple customer environments share infrastructure.
Share
External POC / Exploit Code
Leaving vuln.today