CVE-2025-0423
Description
In the "bestinformed Web" application, some user input was not properly sanitized. This leads to multiple unauthenticated stored cross-site scripting vulnerabilities. An unauthenticated attacker is able to compromise the sessions of users on the server by injecting JavaScript code into their session using an "Unauthenticated Stored Cross-Site Scripting". The attacker is then able to ride the session of those users and can abuse their privileges on the "bestinformed Web" application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-0423 is an unauthenticated stored XSS in bestinformed Web, fixed in version 6.2.2.5, allowing session hijacking and privilege abuse.
Vulnerability
Analysis
CVE-2025-0423 is a stored cross-site scripting (XSS) vulnerability affecting the Cordaware bestinformed Web application. The root cause is improper sanitization of user-supplied input, allowing an unauthenticated attacker to inject arbitrary JavaScript code into the application's storage. When other users access the affected content, the injected script executes in their browser session, leading to persistent XSS attacks. This vulnerability is classified as medium severity and does not require authentication to exploit [1].
Attack
Vector and Prerequisites
An attacker can exploit this vulnerability by sending a crafted request containing malicious JavaScript to the bestinformed Web interface. No authentication or prior access is required—the attack is fully unauthenticated. The injected code is stored server-side and subsequently rendered to other users, meaning any user who views the affected page is at risk. The vulnerability allows the attacker to compromise user sessions, effectively riding the session of the victim and gaining the privileges associated with that user [1].
Impact
Successful exploitation enables the attacker to perform session hijacking, stealing session cookies (if not properly protected) and impersonating legitimate users. With access to a victim's session, the attacker can abuse any privileges that user holds within the bestinformed Web application. This could include reading sensitive data, modifying configurations, or performing administrative actions. The fix for CVE-2025-0423 was released in bestinformed Web interface version 6.2.2.5, which also includes the use of HttpOnly and Secure cookie attributes as additional hardening measures to mitigate session theft via JavaScript [1].
Mitigation
Status
The vulnerability is patched in Cordaware bestinformed Web interface version 6.2.2.5, released as part of the Cordaware bestinformed 6.4.0.4 release on 2025-02-13. Users are strongly advised to upgrade to this version or later. No workarounds are documented; applying the update is the recommended action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.