CVE-2025-54859

Vulnerability

Overview

CVE-2025-54859 is a stored cross-site scripting (XSS) vulnerability in desknet's NEO, a groupware product by NEOJAPAN Inc. The vulnerability affects desknet's NEO V9.0R2.0 and earlier versions [1][2]. It is classified under CWE-79, and the root cause is insufficient input validation or output encoding, allowing an attacker to store malicious script in the application that later executes in another user's browser.

Exploitation

Conditions

The CVSS v3 score is 4.8 (Medium), with a vector string of AV:N/AC:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N [2]. To exploit this vulnerability, an attacker must have high privileges (e.g., an authenticated administrative user) and rely on another user (e.g., a regular user) to interact with the malicious content. The attack is launched over the network without complex requirements.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to stealing session cookies, defacing pages, or performing actions on behalf of the victim within the application. The impact is limited to confidentiality and integrity of user data in the scope of the web application.

Mitigation

The vendor has released updates to address this and other vulnerabilities. Users should upgrade desknet's NEO to a patched versions as detailed in the vendor advisory [1]. No workarounds are mentioned; upgrading is the recommended action.