CVE-2025-15355

Vulnerability

Overview

ISOinsight, developed by NetVision Information, is affected by a Reflected Cross-site Scripting (XSS) vulnerability. The flaw exists in versions 2.9 2.9.0.x before 2.9.0.250911 and 3.0.0.x before 3.0.0.251127 [2]. The root cause is insufficient sanitization of user-supplied input, allowing an attacker to inject arbitrary JavaScript code into a response [1][2].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by crafting a malicious link that, when clicked by a victim, reflects the injected script in the browser. The attack requires user interaction, such as clicking a phishing link, and does not require any prior authentication [1][2].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of sensitive information, session hijacking, or defacement. The CVSS v3.1 score is 6.1 (Medium) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating low confidentiality and integrity impact but a changed scope [2].

Mitigation

NetVision Information has released patches: update to version 2.9.0.250911 or later for the 2.9.0.x branch, and version 3.0.0.251127 or later for the 3.0.0.x branch [2]. Users are advised to apply the updates immediately.