Medium severity4.3NVD Advisory· Published May 10, 2025· Updated Apr 15, 2026

CVE-2025-4512

Description

A vulnerability classified as problematic has been found in Inetum IODAS 7.2-LTS.4.1-JDK7/7.2-RC3.2-JDK7. Affected is an unknown function of the file /astre/iodasweb/app.jsp. The manipulation of the argument action leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Inetum IODAS 7.2-LTS.4.1-JDK7 and 7.2-RC3.2-JDK7 contain a reflected XSS vulnerability via the 'action' parameter in /astre/iodasweb/app.jsp.

Vulnerability

Overview

The Inetum IODAS application versions 7.2-LTS.4.1-JDK7 and 7.2-RC3.2-JDK7 contain a reflected cross-site scripting (XSS) vulnerability in the file /astre/iodasweb/app.jsp. An unknown function within this file fails to properly validate and encode user-supplied input when processing the action parameter. This allows an attacker to inject arbitrary JavaScript code that is immediately reflected back in the application's HTTP response [1].

Exploitation

Method

An attacker can exploit this vulnerability by crafting a malicious URL that includes a payload in the action parameter, such as ``. Since the attack is remote and does not require authentication, the attacker only needs to trick a victim into clicking the crafted link. The injected script then executes in the victim's browser within the context of the IODAS web application [1].

Impact and

Consequences

Successful exploitation enables a range of malicious activities, including performing actions on behalf of authenticated users, stealing session tokens, defacing the application's interface, redirecting victims to malicious sites, or conducting phishing attacks. These outcomes can lead to unauthorized access to user accounts and overall data compromise [1]. The vendor, Inetum, was contacted but did not respond, leaving no official patch or acknowledgement available as of publication [CVE description].

Mitigation

Status

No patch or vendor advisory has been released. Users are advised to implement mitigations such as sanitizing all user input, applying proper output encoding, deploying a Content Security Policy (CSP), and setting HttpOnly and Secure flags on cookies. Reviewing Web Application Firewall (WAF) settings is also recommended [1].

References

GitHub - lam-sec/iodasweb-poc

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Lam Sec/Iodasweb Pocreferences
Inetum/IODASllm-create
Range: 7.2-LTS.4.1-JDK7/7.2-RC3.2-JDK7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v45.3

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.20%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2025-4512

Source code

github.com/lam-sec/iodasweb-poc