CVE-2025-11308

Vulnerability

Overview CVE-2025-11308 is a stored cross-site scripting (XSS) vulnerability in Vanderlande's Baggage 360 software, version 7.0.0. The issue resides in the /api-addons/v1/messages endpoint, where the Message argument is not properly sanitized. The application accepts HTML input in the message field, stores it without escaping, and later renders it in the user interface, allowing JavaScript execution. This is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) [1][2].

Exploitation

Details An authenticated attacker with access to the "Bags" screen can exploit this by intercepting a message creation request and inserting an XSS payload (e.g., ``). The malicious message is stored and then executed when any user views the bag's journey details (Bags → [bag tag] → Interterm Bag Journey Details → Messages). Because the application supports bulk selection, a single request can attach the XSS payload to multiple bag tags simultaneously, increasing the attack's reach [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the target user's session. This could lead to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) reflects a high confidentiality impact, with a base score of 7.1 per the researcher's assessment, though the official NVD score is 3.5 [1].

Mitigation

Status The vendor was contacted about this disclosure but did not respond, as per the CVE entry. As of publication, there is no official patch or workaround documented. The vulnerability is publicly exploited, and may affect earlier versions as well. Organizations using Baggage 360 should monitor for vendor updates and consider application-level protections such as input validation and output encoding [1][2].