CVE-2025-2335

Vulnerability

Overview

CVE-2025-2335 describes a cross-site scripting (XSS) vulnerability in Drivin Soluções, affecting versions up to 20250226. The flaw resides in the /api/school/registerSchool API endpoint, where the message argument is not properly sanitized before being processed. This allows an attacker to inject arbitrary HTML or JavaScript code. The vendor was contacted but did not respond, leaving the vulnerability unpatched.

Exploitation

The attack can be performed remotely without authentication, as the endpoint appears to be publicly accessible. The exploit has been publicly disclosed on GitHub [1], providing proof-of-concept code. An attacker can craft a malicious request with a crafted message parameter that, when rendered by a victim's browser, executes the injected script. No special network position is required beyond internet access to the vulnerable API.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, or unauthorized actions on behalf of the victim. The CVSS score of 3.5 (Low) suggests limited impact, likely due to the need for user interaction or the scope of the attack (e.g., reflected XSS requiring a crafted link). However, the public availability of the exploit increases the risk of targeted attacks.

Mitigation

As of the publication date, no official patch is available. Users of Drivin Soluções should implement input validation and output encoding for the message parameter, or restrict access to the /api/school/registerSchool endpoint via firewall rules or authentication. Given the vendor's lack of response, organizations may need to consider alternative solutions or apply virtual patches through a web application firewall (WAF).