CVE-2025-25035
Published: 21 March 2025
Summary
CVE-2025-25035 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Jalios JPlatform (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-25035 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified under CWE-79, enabling both Reflected and Stored Cross-Site Scripting (XSS) in Jalios JPlatform 10 and Jalios Workplace. The affected versions include JPlatform 10 prior to 10.0.8 (SP8), prior to 10.0.7 (SP7), and prior to 10.0.6 (SP6), as well as Jalios Workplace 6.2, 6.1, 6.0, and 5.3 through 5.5. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.
Exploitation requires network access and low-privilege authentication, such as a standard user account, with low attack complexity but user interaction from a victim, such as clicking a malicious link or viewing crafted content. An attacker could inject malicious scripts into web pages, leading to reflected XSS for immediate execution on victim browsers or stored XSS for persistent attacks affecting multiple users. Successful exploitation enables high-impact outcomes, including theft of sensitive data like session cookies or credentials and unauthorized modification of page content or user data.
Vendor advisories, including the Jalios security alert at https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19 and related issue trackers (JCMS-11246, JCMS-11248, JCMS-11259), detail mitigations through patches in the specified service packs, such as upgrading JPlatform 10 to 10.0.8 (SP8) or later equivalents. Additional guidance is available in the VulnCheck advisory at https://vulncheck.com/advisories/jalios-jplatform-xss. Security practitioners should verify configurations and apply updates promptly to affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7214
Vulnerability details
Improper Neutralization of Input During Web Page Generation Cross-site Scripting vulnerability in Jalios JPlatform 10 allows for Reflected XSS and Stored XSS.This issue affects JPlatform 10: before 10.0.8 (SP8), before 10.0.7 (SP7), before 10.0.6 (SP6) and Jalios Workplace 6.2, Jalios…
more
Workplace 6.1, Jalios Workplace 6.0, and Jalios Workplace 5.3 to 5.5
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a reflected/stored XSS vulnerability (CWE-79) in a web platform, directly enabling exploitation of public-facing applications via network-accessible injection (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper neutralization of input by enforcing validation mechanisms to prevent XSS payload injection in web page generation.
Filters information output from web pages to neutralize malicious scripts, mitigating both reflected and stored XSS execution in victim browsers.
Ensures timely flaw remediation through patching to fixed versions like JPlatform 10.0.8, directly eliminating the specific XSS vulnerability.