CVE-2025-44206

A stored DOM cross-site scripting (XSS) vulnerability has been discovered in Hexagon HxGN OnCall Dispatch Advantage (Web) v10.2309.03.00264 and HxGN OnCall Dispatch Advantage (Mobile) v10.2402 [1]. The root cause is a lack of proper output encoding when the application processes requests to the /oncall.webapi/api/Commands//CAD_BCAST_REQ and /oncall.webapi/api/Commands//INFORMER_QUERY_PERSON_REQ API endpoints. Specifically, the firstName and lastName parameters are not sanitized or encoded before being used in JavaScript that dynamically generates notifications on recipients' browsers.

The attack requires the attacker to be an authenticated user with access to the Broadcast (Person) functionality [1]. By injecting a malicious JavaScript payload into the firstName or lastName fields of a broadcast request, the attacker can cause the payload to be stored and later reflected without encoding when recipients retrieve broadcasts via the /oncall.webapi/api/Commands//CAD_RETR_BCASTS_REQ endpoint. The notification JavaScript on the recipients' browsers processes this response, leading to stored DOM-based XSS [1].

Successful exploitation allows a remote authenticated attacker to execute arbitrary JavaScript code in the context of the web browser of any broadcast recipient [1]. This can lead to further actions such as session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim, depending on the application's permissions and the user's privileges.

As of the publication date, users should apply any patches or mitigations recommended by Hexagon AB [1]. The vulnerability was reported by Yu Xuan Soh and Huan Jun Chan in September 2024, and advisory details have been made publicly available.