CVE-2025-56313

Vulnerability

Analysis

A reflected cross-site scripting (XSS) vulnerability has been identified in the /publix/run endpoint of JATOS versions 3.7.1 through 3.9.6. The flaw stems from insufficient sanitization of the code URL parameter, allowing an attacker to inject arbitrary JavaScript. When the crafted URL is processed, the malicious script is reflected back into the browser response without proper encoding, leading to code execution within the context of the victim's session.

Exploitation

Prerequisites

Exploitation requires an authenticated admin user to visit a crafted URL containing the malicious payload in the code parameter. The attacker does not need prior authentication; any remote attacker can deliver the URL via social engineering (e.g., email or a malicious link). The vulnerability is triggered when the admin accesses the study's URL, causing the payload to execute in their browser session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin user's session. This can lead to unauthorized actions such as modifying study data, creating new admin accounts, exfiltrating sensitive information, and potentially full privilege escalation within the JATOS instance. The risk is amplified because the admin account typically has elevated permissions.

Mitigation

As of the publication date, the vulnerability affects JATOS versions 3.7.1 through 3.9.6 inclusive. Users should update to a patched version if one becomes available (the advisory is silent on a specific fix version). General security best practices include enforcing input validation for all URL parameters and sanitizing output to prevent XSS. No workaround has been explicitly mentioned, but restricting access to admin URLs and using web application firewall (WAF) rules that inspect the code parameter may reduce risk. The vendor has been notified [1].