CVE-2025-53839

Vulnerability

Overview CVE-2025-53839 is a cross-site scripting (XSS) vulnerability in the DRACOON Branding Service, a component that allows customer administrators to customize the DRACOON interface with their own branding. Versions prior to 2.10.0 improperly neutralize input from administrative users, enabling injection of arbitrary HTML code into the workflow presented to newly onboarded users [1]. This is a server-side input validation flaw classified under CWE-79 [1].

Exploitation

Requirements An attacker must have administrative access to the DRACOON Branding Service to inject malicious HTML. The vulnerability has a CVSS v3.1 base score of 4.0 (Medium) with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N [1]. Exploitation requires high privileges and complex conditions, but it does not require user interaction. The injected content is then rendered to new users without proper sanitization.

Impact and

Mitigation Successful exploitation allows a malicious administrator to inject HTML that could deface branding elements or potentially execute script-like behavior in the context of new user workflows [1]. However, due to the high privilege requirement and the service's cloud-hosted nature, the practical attack surface is limited. The vendor released a fix in version 2.10.0, which was automatically rolled out to all customers; no customer action is necessary [1].