CVE-2025-10348

Description

CVE-2025-10348 is a stored cross-site scripting (XSS) vulnerability found in URVE Smart Office, an office resource reservation system. The flaw originates in the application's report problem functionality, which fails to properly neutralize user-supplied input during web page generation [2]. Specifically, an attacker can upload an SVG file containing embedded malicious scripts. The uploaded resource is made publicly accessible without any authentication, allowing any visitor to the resource URL to trigger the payload.

Exploitation

To exploit this vulnerability, an attacker only needs a low-privileged account on the URVE Smart Office system. After uploading a crafted SVG file via the report problem feature, the malicious script is stored server-side. When a victim, who could be any unauthenticated user, visits the direct URL of the uploaded SVG, the script executes in the context of the victim's browser session. No additional privileges or user interaction beyond viewing the resource are required [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, data theft, or further unauthorized actions within the Smart Office application. Because the resource is accessible without authentication, the attack can target a wide range of users, including administrators who may visit the URL, potentially escalating the impact [2].

Mitigation

The vulnerability is fixed in URVE Smart Office version 1.1.24. Users of earlier versions are strongly advised to update to the latest release to prevent exploitation. No workarounds have been publicly documented [1][2].