CVE-2025-61532

Vulnerability

Overview

CVE-2025-61532 describes a Cross-Site Scripting (XSS) vulnerability in SVX Portal version 2.7A. The flaw exists in the TG parameter within the last_heard_page.php component, where insufficient input sanitisation allows an attacker to inject and execute arbitrary HTML or JavaScript code [1]. This is a client-side injection issue that falls under the category of reflected XSS, as the payload is processed immediately upon request.

Attack

Vector and Prerequisites

An attacker can exploit this vulnerability by crafting a malicious URL containing a specially crafted TG parameter value and delivering it to a logged-in SVX Portal user, for example via a phishing email or a link on a forum. No authentication is required to trigger the XSS on the vulnerable endpoint; however, the victim must be authenticated to the portal for the injected script to access session data or perform actions on their behalf [1]. The attack surface is limited to browsers that execute JavaScript, and the prerequisite is that the victim visits the crafted link while their session is active.

Impact

Successful exploitation allows the attacker to execute arbitrary client-side scripts within the security context of the SVX Portal application. This can lead to session hijacking, theft of sensitive tokens, defacement of the portal interface, or redirection to malicious sites. The CVSS v3 base score of 6.1 (Medium) reflects the need for user interaction and the potential for moderate impact on confidentiality and integrity [1].

Mitigation

Status

A security audit addressed numerous issues in portal version 1.3.0 [1]; however, the current CVE specifically targets version 2.7A, which has not been patched at the time of publication. Users are advised to upgrade to a newer version if available, implement a web application firewall (WAF) rule to filter malicious TG parameter values, or apply input validation and output encoding as a workaround. The vendor has not yet released a dedicated fix for CVE-2025-61532 [2].