CVE-2025-61080

Vulnerability

Overview A reflected Cross-Site Scripting (XSS) vulnerability exists in Clear2Pay Bank Visibility Application - Payment Execution version 1.10.0.104. The 'id' parameter in several endpoints (e.g., /BankVisibility/processPerson.do, /BankVisibility/processBank.do) is not properly validated or sanitized before being reflected in the HTML response, allowing injection of arbitrary JavaScript [1].

Exploitation

Conditions An attacker can exploit this by crafting a URL containing a malicious payload in the 'id' parameter, such as ">. The vulnerability requires authentication with low privileges (PR:L) and no user interaction (UI:N). The attack vector is network-based (AV:N) with low complexity (AC:L) [1].

Impact

Successful exploitation allows an attacker to execute malicious scripts in the victim's browser within the context of the application. This can lead to session theft, web content manipulation, or redirection to phishing pages. The CVSS v3.1 base score is 5.4 (Medium), with scope unchanged and impacts on integrity (I:L) and confidentiality (C:L) [1].

Mitigation

No official patch or vendor advisory has been reported. As a workaround, applications should implement proper input validation and output encoding for all user-controlled parameters. Until a fix is available, users should restrict access to the application endpoints to trusted networks only.