CVE-2025-3613

A stored cross-site scripting (XSS) vulnerability exists in Demtec Graphytics version 5.0.7. The vulnerability resides in the /visualization endpoint and affects the description parameter. User input is not properly sanitized before being stored, allowing an attacker to inject arbitrary HTML or JavaScript. The vendor was contacted but did not respond.

To exploit the vulnerability, an authenticated user creates or edits a visualization. By providing a crafted payload in the description field, such as "><!---->img src=x onerror=alert(document.cookie) >, the malicious code is stored on the server. When other users view the project list or the affected visualization, the payload executes in the context of their browser.

The impact is limited to the execution of arbitrary scripts in the browser of a user viewing the stored data. This can lead to session hijacking or defacement within the application, as demonstrated by the proof-of-concept using alert(document.cookie) [1]. The CVSS score of 3.5 (Low) reflects the need for user interaction and the limited scope of impact.

No official patch or workaround has been released by Demtec. Since the vendor has not responded, users are advised to apply input validation on the description field or restrict access to the affected functionality until a fix is available.