CVE-2025-70365

Kiamo before version 8.4 contains a stored cross-site scripting (XSS) vulnerability in its administrative interface due to improper output encoding of user-supplied input in fields such as the 'description' field [1]. This allows an authenticated administrative user to inject arbitrary JavaScript code that is stored and later executed in the browsers of other users viewing the affected pages.

An attacker with administrative privileges can exploit this by injecting a malicious payload into a vulnerable field (e.g., description) via the admin interface. When a user (including the attacker themselves or other admins) visits the page containing the injected data, the JavaScript executes in their browser context. The proof-of-concept demonstrates successful cookie theft, specifically the kiamo_session cookie, which contains session information [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the affected page, potentially leading to session hijacking, privilege escalation, or further compromise of the administrative interface and underlying data [1].

The vulnerability has been fixed in Kiamo version 8.4, and the vendor states that a fix was already released for the 8.3.1 branch prior to the CVE publication [1]. Until patches can be applied, it is recommended to restrict access to the administrative interfaces and monitor for suspicious input in vulnerable fields [1].