Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.
AnalysisAI
Stored cross-site scripting (XSS) in Stel Order v3.25.1 and earlier allows unauthenticated remote attackers to inject persistent malicious JavaScript via the 'legalName' and 'employeeID' parameters at the '/app/FrontController' endpoint. When administrators or other users access affected sections, injected code executes in their browsers with user interaction, enabling session hijacking and account takeover. SSVC framework rates this as automatable but only partial technical impact with no confirmed active exploitation.
Technical ContextAI
The vulnerability resides in the FrontController endpoint of Stel Order, a web application handling order management. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) stems from insufficient input validation and sanitization of user-supplied data in the 'legalName' and 'employeeID' parameters before storage in the backend database. Unlike reflected XSS, stored XSS persists in the database, meaning the malicious payload executes every time an authenticated user or administrator retrieves and renders that data in their browser context. The attack vector (AV:N/AC:L) indicates this is a network-accessible vulnerability with low complexity, and the requirement for user interaction (UI:A) means the victim must visit a page containing the stored payload for exploitation to succeed.
RemediationAI
Upgrade Stel Order to a version released after v3.25.1 that includes XSS input sanitization. If an exact patched version number is not yet available from the vendor, contact Stel Order support via INCIBE's advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order) for patch delivery timeline. Interim compensating controls: (1) Implement Content Security Policy (CSP) headers (e.g., 'default-src self; script-src self') on all Stel Order application pages to prevent inline script execution-trade-off: may break legitimate third-party integrations relying on inline scripts; (2) Apply Web Application Firewall (WAF) rules to block input containing script tags, event handlers (onclick, onerror), and HTML entity sequences in FrontController parameters; trade-off: legitimate users cannot paste text with angle brackets or quote characters; (3) Restrict access to the FrontController endpoint to authenticated users only via network access controls or reverse proxy authentication, reducing the PR:N exposure; trade-off: may break API integrations or public-facing features. Prioritize vendor patching over WAF rules due to the complexity of blacklist-based XSS prevention.
More in Stel Order
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30268
GHSA-vjqx-vf5x-gc8m