CVE-2025-40697

Vulnerability

Overview A reflected Cross-Site Scripting (XSS) vulnerability exists in Lewe WebMeasure's /index.php endpoint. The page parameter fails to properly sanitize user input, allowing attackers to inject arbitrary JavaScript or HTML. The root cause is a lack of output encoding within the application code [1].

Exploitation

An attacker can craft a malicious URL containing a specially crafted page parameter. The victim must be tricked into clicking the link (e.g., via phishing). No authentication is required to access the vulnerable endpoint. The attack is reflected, meaning the payload executes in the victim's browser when the crafted URL is visited [1].

Impact

Successful exploitation enables the attacker to execute arbitrary code in the victim's browser within the context of the WebMeasure application. This can lead to theft of session cookies, sensitive data exfiltration, or performing arbitrary actions as the authenticated user if the victim is logged in. The CVSS v4.0 base score is 5.1 (Medium) with an attack vector of 'Network' and low attack complexity [1].

Mitigation

Lewe WebMeasure is no longer available on the vendor's website and is no longer supported. No patch is available. Users should migrate to an alternative solution and ensure the application is not exposed to untrusted networks. There is no exploit activity publicly reported as of the advisory [1].