CVE-2025-9590

Vulnerability

Analysis CVE-2025-9590 describes a reflected cross-site scripting (XSS) flaw in Weaver E-Mobile Mobile Management Platform, affecting versions from 20240129 through the latest 20250813 [1]. The vulnerability exists in an unknown function that processes the gohome URL parameter. The input is reflected directly into a JavaScript context within the page without proper sanitization. Specifically, quotation marks and semicolons are not filtered, allowing an attacker to break out of the existing JavaScript string and inject arbitrary script code [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a payload appended to the gohome parameter, such as `?gohome="%3bwindow%27al%27%2b%27ert%27%3bvar%20test%3d"xss`. When a victim visits this URL (no authentication is required; the login page is sufficient), the injected JavaScript executes in the context of the victim's browser session [1][2]. The attack is remote and does not require any prior authentication or user interaction beyond clicking the link.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, redirection to malicious sites, or theft of sensitive information displayed on the page. The platform is reported to have over a hundred thousand users across the internet, increasing the potential attack surface [1][2].

Mitigation

The vendor was contacted early but has not responded as of the publication date [2]. No patch or official workaround has been released. Users are advised to restrict access to the login page, monitor for suspicious URL parameters, and consider deploying a web application firewall (WAF) to block malicious payloads targeting the gohome parameter.