CVE-2025-24833

Vulnerability

Overview

CVE-2025-24833 is a stored cross-site scripting (XSS) vulnerability affecting desknet's NEO versions V4.0R1.0 through V9.0R2.0. The flaw resides in the application's failure to properly sanitize user-supplied input before storing it, allowing an authenticated attacker to inject malicious scripts that are later executed in the browsers of other users [1][2].

Exploitation

Prerequisites

Exploitation requires a valid user account on the affected desknet's NEO instance. The attacker must have the ability to submit data that is stored and later displayed to other users, such as comments, messages, or other shared content. No special privileges beyond standard user access are needed, but the attack relies on another user viewing the malicious content [2].

Impact

If successfully exploited, the attacker's JavaScript executes in the context of the victim's session. This can lead to session hijacking, unauthorized actions performed on behalf of the victim, or theft of sensitive information displayed in the browser. The CVSS v3 base score is 5.4 (Medium), reflecting the need for user interaction and the limited scope of confidentiality and integrity impact [2].

Mitigation

NEOJAPAN has released security updates to address this vulnerability. Users are advised to upgrade to the latest supported version of desknet's NEO. The vendor's advisory provides specific version information and patching guidance [1].