VYPR
← All advisories
Low severity3.5OSV Advisory· Published Dec 31, 2025· Updated Apr 15, 2026

CVE-2019-25262

CVE-2019-25262

Description

A security vulnerability has been detected in elinicksic Razgover up to db37dfc5c82f023a40f2f7834ded6633fb2b5262. This affects an unknown part of the file Chattify/send.php of the component Chat Message Handler. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is 995dd89d0e3ec5522966724be23a5d58ca1bdac3. Applying a patch is advised to resolve this issue. This vulnerability only affects products that are no longer supported by the maintainer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS in Razgover chat message handler allows remote unauthenticated attackers to inject arbitrary scripts via the msg parameter.

Vulnerability

CVE-2019-25262 describes a stored cross-site scripting (XSS) vulnerability in the elinicksic Razgover chat application, specifically in the file Chattify/send.php. The msg parameter is not sanitized before being stored and later rendered in the chat output, allowing an attacker to inject arbitrary HTML or JavaScript. The patch commit 995dd89d0e3ec5522966724be23a5d58ca1bdac3 shows that the fix also adds authentication checks and uses jQuery to load messages via load.php, which likely sanitizes output [1].

Exploitation

An attacker can send a crafted message containing malicious script code via the msg parameter to send.php. The attack is performed remotely and does not require authentication, as the original code lacked session checks. The injected script executes in the context of any user viewing the chat messages, leading to persistent XSS [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browserside scripts in the context of other users' sessions. This can lead to session hijacking, defacement, or theft of sensitive information. The CVSS v3 score is 3.5 (Low) due to the requirement for user interaction and the limited scope of impact [1].

Mitigation

The maintainer has provided a patch in commit 995dd89d0e3ec5522966724be23a5d58ca1bdac3. However, the repository was archived in August 2021 and is now read-only, indicating the product is no longer supported. Users are advised to apply the patch or migrate to an alternative solution [1].

References
  1. Updated UI on index.php, prevented XSS hacking · elinicksic/Razgover@995dd89

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Elinicksic/RazgoverOSV2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <db37dfc5c82f023a40f2f7834ded6633fb2b5262

Patches

1
995dd89d0e3e
https://github.com/elinicksic/razgovervia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.