CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25190 – [XBOW-025-033] Cross-Site Scripting (XSS) via EchoProcess Service in ZOO-Project WPS Server
https://notcve.org/view.php?id=CVE-2025-25190
10 Feb 2025 — The ZOO-Project is an open source processing platform. The ZOO-Project Web Processing Service (WPS) Server contains a Cross-Site Scripting (XSS) vulnerability in its EchoProcess service prior to commit 7a5ae1a. The vulnerability exists because the EchoProcess service directly reflects user input in its output without proper sanitization when handling complex inputs.The service accepts various input formats including XML, JSON, and SVG, and returns the content based on the requested MIME type. When processin... • https://github.com/ZOO-Project/ZOO-Project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25189 – [XBOW-025-031] Reflected Cross-Site Scripting via jobid Parameter in ZOO-Project WPS publish.py CGI Script
https://notcve.org/view.php?id=CVE-2025-25189
10 Feb 2025 — The ZOO-Project is an open source processing platform. A reflected Cross-Site Scripting vulnerability exists in the ZOO-Project Web Processing Service (WPS) publish.py CGI script prior to commit 7a5ae1a. The script reflects user input from the `jobid` parameter in its HTTP response without proper HTML encoding or sanitization. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. The vulnerability occurs because the CGI sc... • https://github.com/ZOO-Project/ZOO-Project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53982 – Arbitrary file download in Zoo-Project Echo Example
https://notcve.org/view.php?id=CVE-2024-53982
04 Dec 2024 — ZOO-Project is a C-based WPS (Web Processing Service) implementation. A path traversal vulnerability was discovered in Zoo-Project Echo example. The Echo example available by default in Zoo installs implements file caching, which can be controlled by user-given parameters. No input validation is performed in this parameter, which allows an attacker to fully control the file which is returned in the response. Patch was committed in November 22nd, 2024. • https://github.com/ZOO-Project/ZOO-Project/commit/641cb18fec58de43a3468f314e5f8808c560e6d9 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2005-2349
https://notcve.org/view.php?id=CVE-2005-2349
28 Oct 2019 — Zoo 2.10 has Directory traversal Zoo 2.10 tiene un salto de Directorio • http://www.openwall.com/lists/oss-security/2015/01/03/1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •