CVE-2025-40648

Vulnerability

Overview CVE-2025-40648 is a stored cross-site scripting (XSS) vulnerability affecting Issabel v5.0.0. The flaw exists in the conference management functionality, where user input supplied through the 'numero_conferencia' parameter is not properly sanitized before being stored and later rendered in the application [1]. This allows an attacker to inject malicious scripts that will be executed in the browsers of other users viewing the affected page.

Exploitation

Prerequisites Exploitation requires an authenticated user with high privileges (e.g., administrator) to submit the crafted payload via the conference creation interface at /index.php?menu=conferencia [1]. The vulnerability is rated medium severity (CVSS 4.8) due to the need for high privileges and user interaction. However, once stored, the payload can affect any user who accesses the conference list.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session, potentially enabling actions such as session hijacking, defacement, or redirection to malicious sites. The impact is limited to integrity and confidentiality of the affected session, as indicated by the CVSS vector [1].

Mitigation

The Issabel team has addressed this vulnerability in version 5.0.0-2 of the issabel-pbx module. Users are advised to update to this or later versions to remediate the issue [1]. No workarounds have been publicly documented.