CVE-2025-52583

Vulnerability

Overview

CVE-2025-52583 is a reflected cross-site scripting (XSS) vulnerability affecting desknet's Web Server. The root cause is improper sanitization of user-supplied input, allowing an attacker to inject malicious JavaScript into a web page that is then reflected back to the user. According to the vendor advisory [1] and JVN [2], this vulnerability affects all versions of desknet's Web Server.

Exploitation

Conditions

The attack vector is network-based with low complexity. No authentication is required, but user interaction is necessary—the victim must click a crafted link or visit a maliciously constructed URL. The CVSS v3.1 base score is 6.1 (Medium), with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [2]. This indicates that the attacker can achieve limited confidentiality and integrity impact through the browser's same-origin policy.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, defacement of the web interface, or redirection to malicious sites. The JVN advisory confirms that arbitrary JavaScript may be executed in the web browser of the user [2].

Mitigation

The vendor, NEOJAPAN Inc., has published an advisory detailing the issue [1]. Users are advised to apply the latest updates provided by the vendor. As of the publication date (2025-10-16), no workaround is documented; updating to a patched version is the recommended course of action.