CVE-2025-13584
Description
A security vulnerability has been detected in Eigenfocus up to 1.4.0. This vulnerability affects unknown code of the component Description Handler. The manipulation of the argument entry.description/time_entry.description leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.4.1 is able to resolve this issue. The identifier of the patch is 7dec94c9d1f3e513e0ee38ba68caaba628e08582. Upgrading the affected component is advised.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eigenfocus ≤1.4.0 contains a stored XSS in time entry descriptions due to insufficient HTML escaping, fixed in v1.4.1.
Vulnerability
Analysis
CVE-2025-13584 is a stored cross-site scripting (XSS) vulnerability affecting the Description Handler component of Eigenfocus up to version 1.4.0. The root cause is insufficient sanitization of user-supplied input: the entry.description and time_entry.description argument is not properly escaped before being rendered in the browser. This allows an attacker to inject arbitrary HTML or JavaScript code that is stored on the server and executed when other users view the affected time entry [1][2].
Exploitation
Attackers can exploit this vulnerability remotely without requiring authentication, as the issue lies in the input handling for time entry descriptions. A proof-of-concept payload is provided: `` entered into the time entry description field. When the entry is opened in edit mode, the stored payload triggers execution of the JavaScript [4]. The attack is considered low severity (CVSS 3.1/3.5) because it requires user interaction (viewing the entry) and does not directly compromise server integrity.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the Eigenfocus application in the victim's browser. This can lead to session hijacking, account compromise, and other unauthorized actions, such as exfiltration of sensitive data or performing actions on behalf of the victim [4]. The vulnerability is stored, meaning the payload persists and affects all users who view the compromised the entry [1].
Mitigation
The vulnerability is fixed in version 1.4.1, which was released to address the HTML escaping issue in autoresizable textareas [3]. The fix commit 7dec94c9d1f3e513e0ee38ba68caaba628e08582 applies proper escaping to time entry descriptions [2]. Users are strongly advised to upgrade to version 1.4.1 or later. There are no known workarounds for unpatched versions.
- Fix autoresizable input by viniciusoyama · Pull Request #358 · Eigenfocus/eigenfocus
- Escapes html from time entry description · Eigenfocus/eigenfocus@7dec94c
- Release v1.4.1 - Library updates and escaping fix · Eigenfocus/eigenfocus
- GitHub - Stolichnayer/eigenfocus-stored-xss: Eigenfocus ≤ v1.4.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in issue title and description field.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20.6.0.rc1, 0.9.0.rc3, v0.4.0, …+ 1 more
- (no CPE)range: 0.6.0.rc1, 0.9.0.rc3, v0.4.0, …
- (no CPE)range: <=1.4.0
Patches
37dec94c9d1f37cae86bd2d3861c4d3edfd73Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.