CVE-2025-41367

Vulnerability

Root Cause

CVE-2025-41367 is a stored cross-site scripting (XSS) vulnerability affecting ZIV's IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04 protections. The flaw arises from insufficient sanitization of user-controlled input when certain commands that require higher-level permissions are executed. An attacker can store a malicious JavaScript payload within the device's software, which will later execute in the browser of an unsuspecting victim who views the affected content. [1]

Attack

Vector and Prerequisites

The exploitation of this vulnerability requires prior authentication to the affected device. Furthermore, the attacker must possess permissions higher than the basic "view" permission to execute the specific commands that enable the injection. The attack is conducted over the network without the need for advanced targeting techniques, as no complex additional privileges are required beyond those authenticated higher-permission roles. [1]

Impact

Assessment

A successful attack results in the execution of the attacker-supplied JavaScript in the victim's browser session. This can lead to compromise of the confidentiality and integrity of the victim's interactions with the device, potentially allowing the attacker to perform actions on behalf of the victim, exfiltrate session cookies, or deface the device interface. The CVSS v4.0 base score is 4.8, reflecting a medium severity due to the required privileged access and user interaction. [1]

Mitigation

Status

ZIV has released firmware version 1.1.0 to remediate this vulnerability, along with several other issues disclosed in the same advisory. Users are strongly advised to update their IDF and ZLF devices to the latest firmware version to eliminate the risk. The vendor has addressed this specific CVE as part of the coordinated disclosure published by INCIBE. [1]