CVE-2025-25203

CVE-2025-25203 is a Cross-Site Scripting (XSS) vulnerability in CtrlPanel, an open-source billing software for hosting providers, affecting versions prior to 1.0. The flaw exists in the `TicketsController` and `Moderation/TicketsController` due to insufficient input validation on the `priority` field during ticket creation, combined with unsafe rendering of this field in the moderator panel. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-79.

An authenticated attacker with low privileges, such as a user able to create support tickets, can exploit this over the network with low attack complexity and no user interaction required. Exploitation injects malicious payloads into the `priority` field, which are then executed as JavaScript in the moderator panel's context upon viewing, enabling high confidentiality and integrity impacts like session theft, data exfiltration, or unauthorized modifications.

CtrlPanel version 1.0 addresses the issue with a patch. Administrators should upgrade immediately to mitigate. Additional details are available in the patch commit at https://github.com/Ctrlpanel-gg/panel/commit/393cbde662c7e54829e296eb5815794490d925c7 and the GitHub security advisory at https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-2q43-grv2-jxwh.