EUVD-2025-208946

| CVE-2025-52204 MEDIUM
2026-03-23 mitre GHSA-79wq-mgjf-5cc2
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 20:00 euvd
EUVD-2025-208946
Analysis Generated
Mar 23, 2026 - 20:00 vuln.today
CVE Published
Mar 23, 2026 - 00:00 nvd
MEDIUM 6.1

Tags

XSS

Description

A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter

Analysis

A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x where the customer.pl endpoint improperly handles the OTRSCustomerInterface parameter, allowing attackers to inject and execute arbitrary JavaScript in the context of victim browsers. This affects Znuny ITSM versions in the 6.5.x release line, and a proof-of-concept exploit has been publicly disclosed on GitHub, indicating active awareness and potential exploitation capability in the threat landscape.

Technical Context

The vulnerability is rooted in improper input validation and output encoding in a web application parameter handler. Specifically, the OTRSCustomerInterface parameter passed to the customer.pl endpoint in Znuny::ITSM fails to sanitize or properly encode user-supplied input before reflecting it back in HTTP responses. This is a classic reflected XSS vulnerability (CWE category: Improper Neutralization of Input During Web Page Generation). Znuny is an open-source IT Service Management (ITSM) and help desk ticketing system built on the OTRS framework. The affected component (customer.pl) is the customer-facing interface endpoint responsible for handling customer interactions, making it a high-value attack surface for phishing, credential harvesting, and malware distribution campaigns.

Affected Products

Znuny::ITSM version 6.5.x is affected by this vulnerability. The CPE for this product is listed as cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:* in the CVE record, though this appears to be a placeholder entry; the actual affected software is Znuny ITSM. Affected organizations should consult the official Znuny security advisories at http://znuny.com for confirmation of the exact minor versions impacted within the 6.5.x branch and for guidance on patched versions. Reference material is also available at http://znunyitsm.com.

Remediation

Immediately upgrade Znuny::ITSM to a patched version released after this vulnerability disclosure; check http://znuny.com and http://znunyitsm.com for official security advisories and version numbers. As a temporary mitigation pending patching, implement input validation and output encoding on the OTRSCustomerInterface parameter by deploying a Web Application Firewall (WAF) rule that blocks requests containing script-like payloads (e.g., javascript:, <script>, onerror=), enforce Content-Security-Policy (CSP) headers to restrict script execution origins, and restrict access to the customer.pl endpoint to known trusted IP ranges if operationally feasible. Additionally, apply HTTPS with HSTS to prevent man-in-the-middle payload injection, and monitor access logs for suspicious parameter values.

Priority Score

31
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

EUVD-2025-208946 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy