CVE-2025-60933

Root

Cause

Performance Pro v3.19.17 contains multiple stored cross-site scripting (XSS) vulnerabilities in the Future Goals function. The application fails to sanitize or encode user-supplied input before storing it server-side and later rendering it in the browser. Vulnerable parameters include Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, and Goal Description during goal creation/update, and Goal Name, Goal Description, and Action Step Description when viewing or printing goals via /viewgoals.php?printview=1&type=future [1].

Exploitation

An authenticated attacker can inject arbitrary JavaScript into any of the vulnerable fields by sending a POST request to the goal setup endpoint. The payload is stored and executed when any user (including the attacker or other authenticated users) views the affected pages. The attacker may also craft a direct URL to the print view that includes the payload in the reflected content, allowing for phishing-based delivery [1]. No additional privileges beyond standard user authentication are required to inject or trigger the stored XSS.

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts or HTML in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability is classified as medium severity (CVSS 6.1) due to the requirement for prior authentication and user interaction [1].

Mitigation

The vendor has addressed these issues in release PP-Release-6.3.2.0. Users of Performance Pro v3.19.17 and earlier should upgrade immediately. No workarounds are documented; input sanitization and output encoding should be enforced as a general security best practice [1].