CVE-2025-65640
Description
Stored XSS in Arket Globe Document Intelligence 5.0.0.559 allows authenticated attackers to execute JavaScript in other users' browsers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Arket Globe Document Intelligence 5.0.0.559 allows authenticated attackers to execute JavaScript in other users' browsers.
Vulnerability
A Stored Cross-Site Scripting (XSS) vulnerability exists in the "Task in Progress / Recent" page of Arket Globe Document Intelligence version 5.0.0.559. The vulnerability stems from improper sanitization of user input within the "Title" field when creating a new document. This allows an authenticated attacker to inject JavaScript code that is stored on the server [1].
Exploitation
An authenticated attacker can exploit this vulnerability by creating a new document and injecting a JavaScript payload into the "Title" field. When other authenticated users view the document properties or summary pages, the injected script will execute in their browser context [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking and account takeover. The attacker can exfiltrate sensitive information, such as session cookies, by redirecting them to an attacker-controlled server [1].
Mitigation
Arket Globe Document Intelligence version 5.0.0.559 is affected. Information regarding a fixed version or specific mitigation steps is not yet disclosed in the available references. Users are advised to consult vendor advisories for updates [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =5.0.0.559
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly sanitize or encode user-supplied input within the "Title" property of a newly created document."
Attack vector
An authenticated attacker can create a new document and inject JavaScript code into the "Title" field. When other authenticated users navigate to the "Task in progress / Recent" page, the injected script is executed in their browser context. This allows for arbitrary JavaScript execution, potentially leading to session hijacking or account takeover [ref_id=1].
Affected code
The vulnerability resides in the "Title" property of a newly created document within the Globe Document Intelligence platform, version 5.0.0.559. Specifically, the "Task in progress / Recent" page reflects this unsanitized input, leading to script execution [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance suggests that the application fails to properly sanitize or encode user-supplied input within the "Title" property of a newly created document [ref_id=1].
Preconditions
- authThe attacker must be authenticated.
- inputThe attacker must be able to input data into the "Title" field when creating a new document.
Reproduction
1. Navigate to the document creation section ("Nuovo documento") and fill in the required fields with arbitrary data to successfully create a new document. 2. Submit the form and create the document. 3. Select the newly created document, open the context menu (Right-Click -> Document Properties), and locate the "Title" field. 4. Inject the following basic XSS payload into the "Title" field: <script>alert("XSS")</script> 5. Save the changes. The malicious payload is now persistently stored in the database. 6. Navigate to the "Task in progress / Recent" (Task
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.arket.itnvd
News mentions
0No linked articles in our index yet.