EUVD-2025-208952
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha.
Analysis
Census CSWeb 8.0.1 contains a stored cross-site scripting (XSS) vulnerability in user-supplied fields that allows authenticated attackers to inject and persist malicious JavaScript code, which executes when victims access affected pages in their browsers. The vulnerability affects CSWeb versions prior to 8.1.0 alpha, and a public proof-of-concept exploit is available on GitHub, increasing real-world exploitation risk. While the CVSS score of 4.6 reflects moderate severity, the combination of authenticated access requirement, user interaction dependency, and published exploit code suggests this poses a meaningful but contained threat to Census CSWeb deployments.
Technical Context
The vulnerability is a classic stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in Census CSWeb, a data collection and processing application used in statistical surveys. The root cause is insufficient input validation and output encoding in user-supplied fields within CSWeb 8.0.1 (CPE: cpe:2.3:a:census:csweb:*:*:*:*:*:*:*:*). Rather than sanitizing or encoding user input before storage in the database, the application directly renders user-controlled data in HTML contexts without proper escaping, allowing attackers to break out of intended data contexts and inject arbitrary JavaScript. This occurs in web form fields where users legitimately input survey data, but no Content Security Policy (CSP) or output encoding mitigates the risk. The flaw is particularly dangerous because it affects authenticated users with legitimate access to the application, who may not expect malicious payloads in peer-submitted data.
Affected Products
Census CSWeb versions up to and including 8.0.1 are affected, as confirmed via CPE (cpe:2.3:a:census:csweb:*:*:*:*:*:*:*:*). The vulnerability was fixed in CSWeb 8.1.0 alpha. Users should consult the official Census CSWeb GitHub repository at https://github.com/csprousers/csweb for patch availability and advisory details, including the specific commit (eba0b59a243390a1a4f9524cce6dbc0314bf0d91) that addressed the flaw. The official CVE record is available at https://www.cve.org/CVERecord?id=CVE-2025-60948, and CISA's security advisory is available at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-082-01.json for additional context.
Remediation
Immediately upgrade Census CSWeb to version 8.1.0 alpha or later once released as stable, as this version contains the fix for stored XSS in user-supplied fields. Until patching is feasible, implement the following compensating controls: enforce strict Content Security Policy (CSP) headers prohibiting inline script execution (script-src 'self'), enable HTTP-only and Secure flags on session cookies to prevent JavaScript access, and deploy a Web Application Firewall (WAF) with rules to detect and block script injection patterns in user input fields. Additionally, restrict network access to CSWeb instances to trusted IP ranges and enforce strong authentication with multi-factor authentication (MFA) to reduce the authenticated attacker surface. Database-level inspection for existing malicious payloads in user-supplied fields should be conducted, and affected records sanitized or flagged for review. Monitor application logs for suspicious activity patterns consistent with XSS exploitation (unusual script tags in form submissions, abnormal session activity). Refer to the Census CSWeb security advisory and the GitHub commit history for detailed patching instructions.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today