EUVD-2025-17514

| CVE-2025-39539 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-09 [email protected]
XSS
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17514
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 7.1

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in quitenicestuff Soho Hotel allows Reflected XSS. This issue affects Soho Hotel: from n/a through 4.2.5.

AnalysisAI

Reflected Cross-Site Scripting (XSS) vulnerability in quitenicestuff Soho Hotel versions through 4.2.5 that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. With a CVSS score of 7.1 and network accessibility requiring only user interaction, this vulnerability enables attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. The vulnerability affects the hotel management software's input validation during web page generation, creating a reflected XSS attack vector that exploits insufficient output encoding.

Technical ContextAI

This vulnerability stems from improper neutralization of user-supplied input during dynamic HTML generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The Soho Hotel application fails to properly sanitize or encode user-controllable parameters before reflecting them in HTTP responses. Reflected XSS vulnerabilities occur when untrusted data from HTTP requests is directly embedded into response pages without encoding, allowing attackers to craft malicious URLs containing JavaScript payloads. The application likely lacks context-aware output encoding (HTML entity encoding, JavaScript escaping, or URL encoding depending on context) at the point where user input is rendered to the page. This is a classic web application vulnerability affecting hotel management/booking systems where parameters like search terms, reservation details, or administrative inputs may be reflected in error messages, confirmations, or search results without proper sanitization.

RemediationAI

Immediate action: (1) Upgrade quitenicestuff Soho Hotel to version 4.2.6 or later (patch release addressing XSS input validation). (2) If immediate patching is not possible, implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in URL parameters and POST data. (3) Deploy Content Security Policy (CSP) headers to prevent inline script execution and restrict script sources to trusted origins only. (4) Conduct a security audit of all user input points in the application (search fields, filter parameters, admin forms) to identify similar reflection vulnerabilities. (5) Implement output encoding at all points where user input is reflected—use parameterized templating or libraries that auto-encode by default (e.g., Django templates, Jinja2, or similar). (6) Enable HTTPOnly and Secure flags on session cookies to limit XSS impact. Contact quitenicestuff for official patch releases and vendor security advisories detailing the scope of the fix.

Share

EUVD-2025-17514 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy