VYPR
← All advisories
Medium severityNVD Advisory· Published Feb 18, 2025· Updated Apr 15, 2026

CVE-2025-0424

CVE-2025-0424

Description

In the "bestinformed Web" application, some user input was not properly sanitized. This leads to multiple authenticated stored cross-site scripting vulnerabilities. An authenticated attacker is able to compromise the sessions of other users on the server by injecting JavaScript code into their session using an "Authenticated Stored Cross-Site Scripting". Those other users might have more privileges than the attacker, enabling a form of horizontal movement.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-0424 is an authenticated stored XSS in Cordaware bestinformed Web that enables session compromise via unsanitized user input.

Vulnerability

CVE-2025-0424 is an authenticated stored cross-site scripting (XSS) vulnerability in the Cordaware bestinformed Web interface. The application fails to properly sanitize user input, allowing an authenticated attacker to inject malicious JavaScript code that is stored and later executed in the context of other users' sessions [1].

Exploitation

To exploit, the attacker must be authenticated. They inject the payload into a stored field (e.g., a comment or profile field) that is displayed to other users. When a victim views the content, the script executes. Because the attacker may have lower privileges than the victim, this enables horizontal privilege escalation within the application.

Impact

Successful exploitation compromises the sessions of other users, potentially leading to unauthorized access to sensitive data, privilege escalation, and further malicious actions under the victims' identities. The attacker can steal session cookies or perform actions on behalf of higher-privileged users.

Mitigation

The vendor has addressed the vulnerability in bestinformed Web interface version 6.2.2.5, as detailed in their changelog [1]. Users are advised to update to this version or later to remediate the issue.

References
  1. Changelog > Infoserver > Version 6.4.0.4 Release 13.02.2025

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.