CVE-2025-7761

Vulnerability

Overview

CVE-2025-7761 describes a reflected cross-site scripting (XSS) vulnerability in Lepszy BIP, a Polish public information bulletin system. The root cause is improper input validation of parameters passed to the index.php script. This allows an attacker to inject arbitrary JavaScript code into a specially crafted URL. [1]

Exploitation

Conditions

An attacker can exploit this vulnerability by tricking a victim into clicking a maliciously crafted link. No authentication is required, and the attack is performed over the network. The victim's browser then executes the injected script in the context of the vulnerable application.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to actions such as session hijacking, credential theft, or defacement of the page. The vendor was contacted but did not respond, and potentially all versions of the software are affected.

Mitigation

Status

As of the publication date (2025-08-14), no official patch or workaround has been released by the vendor. Users are advised to implement generic XSS defenses, such as input validation and output encoding, or consider alternatives if possible.