CVE-2025-55072
Description
Stored cross-site scripting (XSS) vulnerability in desknet's NEO V2.0R1.0 to V9.0R2.0 allow execution of arbitrary JavaScript in a user’s web browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in desknet's NEO allows an attacker to inject arbitrary JavaScript into web pages.
Vulnerability
Description CVE-2025-55072 is a stored cross-site scripting (XSS) vulnerability in desknet's NEO, affecting versions V2.0R1.0 through V9.0R2.0. The issue arises from insufficient sanitization of user-supplied input, allowing malicious code to be stored and later executed in the browsers of other users [1][2].
Exploitation
Conditions An attacker with low privileges (e.g., a standard user) can inject a script into a vulnerable field or page. When another user (including administrators) views the affected content, the script executes within their browser session. The CVSS v3 base score is 5.4, with attack vector network and required user interaction [2].
Impact
Successful exploitation enables arbitrary JavaScript execution in the context of the victim's session. This can lead to data theft, session hijacking, defacement, or redirection to malicious sites. The overall impact is considered moderate due to the need for user interaction and low privilege requirements [1][2].
Mitigation
NEOJAPAN has released patches for affected versions. Users are advised to update desknet's NEO to the latest version. The advisory also notes that the cloud version is separately managed [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.