// For flags

CVE-2025-25190

[XBOW-025-033] Cross-Site Scripting (XSS) via EchoProcess Service in ZOO-Project WPS Server

Severity Score

5.5
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

The ZOO-Project is an open source processing platform. The ZOO-Project Web Processing Service (WPS) Server contains a Cross-Site Scripting (XSS) vulnerability in its EchoProcess service prior to commit 7a5ae1a. The vulnerability exists because the EchoProcess service directly reflects user input in its output without proper sanitization when handling complex inputs.The service accepts various input formats including XML, JSON, and SVG, and returns the content based on the requested MIME type. When processing SVG content and returning it with the image/svg+xml MIME type, the server fails to sanitize potentially malicious JavaScript in attributes like onload, allowing arbitrary JavaScript execution in the victim's browser context. This vulnerability is particularly dangerous because it exists in a service specifically designed to echo back user input, and the lack of proper sanitization in combination with SVG handling creates a reliable XSS vector. Commit 7a5ae1a contains a fix for the issue.

ZOO-Project es una plataforma de procesamiento de código abierto. El servidor del servicio de procesamiento web (WPS) de ZOO-Project contiene una vulnerabilidad de cross site scripting (XSS) en su servicio EchoProcess antes de el commit 7a5ae1a. La vulnerabilidad existe porque el servicio EchoProcess refleja directamente la entrada del usuario en su salida sin la depuración adecuada al gestionar entradas complejas. El servicio acepta varios formatos de entrada, incluidos XML, JSON y SVG, y devuelve el contenido en función del tipo MIME solicitado. Al procesar contenido SVG y devolverlo con el tipo MIME image/svg+xml, el servidor no puede limpiar el JavaScript potencialmente malicioso en atributos como onload, lo que permite la ejecución arbitraria de JavaScript en el contexto del navegador de la víctima. Esta vulnerabilidad es particularmente peligrosa porque existe en un servicio diseñado específicamente para hacer eco de la entrada del usuario, y la falta de una depuración adecuada en combinación con la gestión de SVG crea un vector XSS confiable. El commit 7a5ae1a contiene una solución para el problema.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
None
Low
Integrity
None
Low
Availability
None
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-02-03 CVE Reserved
  • 2025-02-10 CVE Published
  • 2025-02-11 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
ZOO-Project
Search vendor "ZOO-Project"
 ZOO-Project
Search vendor "ZOO-Project" for product "ZOO-Project"
 < 7
Search vendor "ZOO-Project" for product "ZOO-Project" and version " < 7"
en
Affected