CVE-2025-11125

A reflected cross-site scripting (XSS) vulnerability was discovered in the langleyfcu Online Banking System, affecting the /connection_error.php script. The Error parameter is not properly sanitized before being reflected back to the user, allowing an attacker to inject arbitrary HTML and JavaScript. This issue exists in an unknown commit up to 57437e6400ce0ae240e692c24e6346b8d0c17d7a as part of a rolling-release software delivery model [1].

Exploitation is remote and does not require authentication. An attacker can craft a malicious URL containing a special payload in the Error argument and trick a victim into clicking it. No special network position is needed beyond normal internet access. The vulnerability has been publicly disclosed with proof-of-concept material available [1].

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the user's browser session. This can lead to session token theft, credential harvesting, defacement, or redirection to malicious sites. The impact is limited by the same-origin policy, but sensitive data may be exposed if the application stores cookies or other secrets accessible to client-side scripts.

Currently, no patched version has been explicitly announced due to the rolling-release model. Users are advised to contact their vendor for updates and to implement generic web application firewall (WAF) rules or input validation as a temporary workaround. The public disclosure increases the risk of widespread exploitation [1].