CVE-2025-1888
Description
The Leica Web Viewer within the Aperio Eslide Manager Application is vulnerable to reflected cross-site scripting (XSS). An authenticated user can access the slides within a project and injecting malicious JavaScript into the "memo" field. The memo field has a hover over action that will display a Microsoft Tool Tip which a user can use to quickly view the memo associated with the slide and execute the JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can inject malicious JavaScript into the Aperio Eslide Manager memo field, leading to reflected XSS when hovering over the memo tooltip.
Vulnerability
Overview
The Leica Web Viewer within the Aperio Eslide Manager application is vulnerable to reflected cross-site scripting (XSS) due to improper sanitization of user input in the slide 'memo' field [1]. An authenticated user with access to slides within a project can inject a malicious JavaScript payload into the memo field and save it. The memo field has a hover-over icon that displays a Microsoft Tool Tip, which triggers execution of the stored script [1].
Exploitation
Prerequisites
Exploitation requires an authenticated user account with permission to view and edit slide memos [1]. The attacker saves the malicious payload to a slide memo. However, there is a caveat: if the victim clicks the 'View all Memos' button above the slide deck, the payload enters a sink that properly sanitizes input, preventing execution. In that scenario, the attacker would need to re-save the memo and ensure the victim does not view all memos for the payload to execute [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session when the victim hovers over the memo tooltip [1]. This can lead to actions performed on behalf of the authenticated user, data exfiltration, or other client-side attacks within the application's security context.
Mitigation
Status
According to the public disclosure, the only confirmed affected version is 12.3.2.5030 [1]. The vulnerability was reported to Leica Biosystems on November 20, 2024, and publicly disclosed on March 14, 2025, after no patch was confirmed during the disclosure timeline [1]. Operators should check for updates from Leica Biosystems or restrict access to memo fields until a fix is available [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The memo field does not properly sanitize user-controllable input before it is displayed in a web page tool tip, allowing injection of arbitrary JavaScript."
Attack vector
An authenticated attacker with access to view slides (e.g., a research-only guest account) navigates to the Eslide Manager application and opens a case [ref_id=1]. The attacker clicks on the memo field, enters a malicious JavaScript payload, and saves it [ref_id=1]. When any user hovers over the memo's clipboard icon, the Microsoft Tool Tip displays the memo content and the injected JavaScript executes [ref_id=1]. A caveat exists: if the victim clicks the "View all Memos" button first, the payload is placed into a sink that sanitizes input and prevents execution, requiring the attacker to re-save the memo [ref_id=1].
Affected code
The vulnerability resides in the memo field of the Leica Web Viewer within the Aperio Eslide Manager application [ref_id=1]. The memo field does not properly sanitize user-controllable input before it is placed in output used as a web page [CWE-79]. The advisory does not specify exact file paths or function names.
What the fix does
The advisory does not include a patch or confirm whether a fix has been released [ref_id=1]. The recommended remediation is to properly sanitize user input in the memo field before it is rendered in the web page, preventing JavaScript from being executed via the tool tip hover action [CWE-79]. Due to the scope of the assessment, the researchers were unable to verify whether this bug has been fixed in other versions [ref_id=1].
Preconditions
- authAttacker must be authenticated with access to view slides in the Eslide Manager application
- inputAttacker must have access to a project containing slides with editable memo fields
- inputVictim must hover over the memo clipboard icon (or avoid clicking 'View all Memos' first)
Reproduction
1. Log in as a user with access to view slides (e.g., a research-only guest account). Navigate to the Eslide Manager application by viewing a case [ref_id=1]. 2. Click on the memo field and enter a malicious JavaScript payload. Remember to hit save [ref_id=1]. 3. Hover over the clipboard icon and observe the reflected response executing the payload [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.