CVE-2025-10946

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability has been identified in the nuz007/smsboom project, specifically in the dy.php file. The issue arises from improper sanitization of the hm argument, which is directly reflected in the output without proper encoding or validation [1]. The affected commit is 01b2f35bbbc23f3e0f60f38ca0e3d1b286f8d674, and the project follows a rolling release model, meaning specific version numbers for affected or patched releases are not provided.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the hm parameter. When a victim visits the crafted URL, the payload executes in the context of the victim's browser. No authentication is required, and the attack can be performed remotely over the network. The attack complexity is low, but user interaction is required (the victim must click the link).

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, for example, session hijacking, defacement, or redirection to malicious sites. The CVSS v3 base score is 3.5 (Low), reflecting the need for user interaction and the limited scope of impact.

Mitigation

As of the publication date, no official patch has been released. Users are advised to sanitize the hm parameter in dy.php by escaping HTML entities or using a content security policy. Given the rolling release model, users should monitor the maintainer may address this in a future commit.