CVE-2025-52179

Vulnerability

Overview

CVE-2025-52179 is a reflected cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Revolution version 4.1 and earlier. The flaw resides in the /ahrw/jsp/gsfr_feditorHTML.jsp endpoint, where the pHtmlSource parameter is reflected in the response without proper sanitization or encoding. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser session [1].

Exploitation

The vulnerability is exploitable remotely by an unauthenticated attacker. No authentication or prior access is required. The attacker crafts a malicious URL containing the payload in the pHtmlSource parameter and tricks a user into clicking it (e.g., via phishing or a link on a third-party site). When the victim visits the crafted URL, the injected script executes in their browser, enabling actions such as session hijacking, credential theft, or defacement [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the security context of the affected Zucchetti application. This can lead to disclosure of sensitive information, manipulation of page content, or redirection to malicious sites. Because the attack does not require authentication, the potential attack surface is broad, affecting any user who accesses the vulnerable endpoint [1].

Mitigation

Zucchetti has not released a patch for this vulnerability as of the publication date. Users of Ad Hoc Revolution 4.1 and earlier are advised to apply input validation and output encoding on the pHtmlSource parameter, or restrict access to the vulnerable endpoint until an official update is available. The related CVE-2025-52180 affects the same parameter in the Ad Hoc Infinity product line [1].