CVE-2025-29322
Description
A cross-site scripting (XSS) vulnerability in ScriptCase before v1.0.003 - Build 3 allows attackers to execute arbitrary code via a crafted payload to the "Connection Name" in the New Connection and Rename Connection pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in ScriptCase Connection Name field allows arbitrary JavaScript execution via crafted payload.
Vulnerability
Description A stored cross-site scripting (XSS) vulnerability exists in ScriptCase versions prior to v1.0.003 - Build 3. The Connection Name parameter in the New Connection and Rename Connection pages fails to sanitize user input, allowing attackers to inject arbitrary JavaScript code. The malicious payload is stored in the application's database and executed whenever a user accesses these pages [2].
Exploitation
An attacker can exploit this vulnerability by navigating to the Database Connections section, selecting New Connection, and entering a crafted payload such as '> into the Connection Name field. No authentication is required to trigger the stored payload, though session privileges affect the impact [2].
Impact
Successful exploitation enables arbitrary JavaScript execution in the victim's browser, leading to session hijacking (e.g., stealing PHPSESSID cookies), privilege escalation if an admin views the page, and exfiltration of sensitive data such as database credentials [2].
Mitigation
The vendor has addressed this vulnerability in Scriptcase v1.0.003 - Build 3. Users should update to the latest version. The vendor website [1] provides download and support information.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <1.0.003 Build 3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.