CVE-2025-0747
Published: 30 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-0747 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting EmbedAI. Published on 2025-01-30, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). The issue enables injection of malicious JavaScript code into a message within the application.
An authenticated attacker can exploit this vulnerability by injecting malicious JavaScript into a message, which executes in the context of another user's browser when they open the chat. This leads to high-impact confidentiality violations through cross-origin data exfiltration, leveraging the changed scope.
Mitigation details are available in the INCIBE-CERT advisory on multiple vulnerabilities in EmbedAI at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-embedai.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- EmbedAI is a tool for creating chatbots, which are AI-powered conversational agents fitting the Enterprise AI Assistants category.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS allows authenticated attackers to inject arbitrary JavaScript into chat messages, enabling execution in victims' browsers upon viewing the chat (Command and Scripting Interpreter: JavaScript).