CVE-2025-54760

Vulnerability

Overview CVE-2025-54760 is a stored cross-site scripting (XSS) vulnerability affecting desknet's NEO V9.0R2.0 and earlier versions. The issue exists because the application does not properly sanitize user-supplied input before storing it, allowing the injection of malicious scripts. This is classified under CWE-79 and has a CVSS v3 base score of 5.4 (Medium). [1][2]

Exploitation

Conditions To exploit this vulnerability, an attacker must be authenticated and have the ability to submit data that is stored and later displayed to other users. The attacker can inject malicious JavaScript into fields that are not sanitized. When a victim (who also must be a logged-in user) views the affected page, the stored script executes in their browser. The attack requires user interaction (the victim must view the page) and is performed over the network. [2]

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser. The attacker can potentially steal session cookies, perform actions on behalf of the victim, or deface the application. The scope is changed (confidentiality and integrity impacts are low, but the attack crosses trust boundaries). [2]

Mitigation

NEOJAPAN has released a maintenance update addressing this vulnerability. Users are advised to apply the patch provided in the vendor advisory [1]. The vulnerability affects desknet's NEO V9.0R2.0 and earlier, as well as related products like desknet's Web Server (all versions) and AppSuite (V4.0R1.0 to V9.0R2.0) [1][2].