EUVD-2025-208952Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha.
AnalysisAI
Census CSWeb 8.0.1 contains a stored cross-site scripting (XSS) vulnerability in user-supplied fields that allows authenticated attackers to inject and persist malicious JavaScript code, which executes when victims access affected pages in their browsers. The vulnerability affects CSWeb versions prior to 8.1.0 alpha, and a public proof-of-concept exploit is available on GitHub, increasing real-world exploitation risk. While the CVSS score of 4.6 reflects moderate severity, the combination of authenticated access requirement, user interaction dependency, and published exploit code suggests this poses a meaningful but contained threat to Census CSWeb deployments.
Technical ContextAI
The vulnerability is a classic stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in Census CSWeb, a data collection and processing application used in statistical surveys. The root cause is insufficient input validation and output encoding in user-supplied fields within CSWeb 8.0.1 (CPE: cpe:2.3:a:census:csweb:*:*:*:*:*:*:*:*). Rather than sanitizing or encoding user input before storage in the database, the application directly renders user-controlled data in HTML contexts without proper escaping, allowing attackers to break out of intended data contexts and inject arbitrary JavaScript. This occurs in web form fields where users legitimately input survey data, but no Content Security Policy (CSP) or output encoding mitigates the risk. The flaw is particularly dangerous because it affects authenticated users with legitimate access to the application, who may not expect malicious payloads in peer-submitted data.
RemediationAI
Immediately upgrade Census CSWeb to version 8.1.0 alpha or later once released as stable, as this version contains the fix for stored XSS in user-supplied fields. Until patching is feasible, implement the following compensating controls: enforce strict Content Security Policy (CSP) headers prohibiting inline script execution (script-src 'self'), enable HTTP-only and Secure flags on session cookies to prevent JavaScript access, and deploy a Web Application Firewall (WAF) with rules to detect and block script injection patterns in user input fields. Additionally, restrict network access to CSWeb instances to trusted IP ranges and enforce strong authentication with multi-factor authentication (MFA) to reduce the authenticated attacker surface. Database-level inspection for existing malicious payloads in user-supplied fields should be conducted, and affected records sanitized or flagged for review. Monitor application logs for suspicious activity patterns consistent with XSS exploitation (unusual script tags in form submissions, abnormal session activity). Refer to the Census CSWeb security advisory and the GitHub commit history for detailed patching instructions.
Share
External POC / Exploit Code
Leaving vuln.today