CVE-2025-7920

Vulnerability

Overview

CVE-2025-7920 is a reflected cross-site scripting (XSS) vulnerability in the WinMatrix3 Web package developed by Simopro Technology. The flaw exists because the web application fails to properly sanitize user-supplied input before reflecting it in the HTTP response, enabling an attacker to inject arbitrary JavaScript code [1][2].

Attack

Vector and Prerequisites

An unauthenticated remote attacker can exploit this vulnerability by crafting a malicious URL and tricking a victim into clicking it, typically through a phishing email or social engineering. No authentication is required to trigger the flaw, as the vulnerable input is processed without prior user validation [1]. The attack relies on user interaction (the victim clicking the crafted link), which is reflected in the CVSS v3.1 vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session with the WinMatrix3 application. This can lead to sensitive data theft, session hijacking, or defacement of the web interface, depending on the privileges of the victim within the application [1].

Mitigation

Simopro Technology has released a hotfix for version 1.2.39.5 and recommends updating to version 3.9.1 (Web 1.3.1) or later. Users running versions prior to 1.2.39.5 should upgrade immediately to the fixed versions to eliminate the vulnerability [1][2].