CVE-2025-25203
Published: 11 February 2025
Summary
CVE-2025-25203 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of information inputs like the 'priority' field to prevent injection of malicious scripts during ticket creation.
SI-15 mandates filtering of information outputs to block unsafe rendering of the 'priority' field in the moderator panel, stopping XSS execution.
SI-2 ensures timely identification, reporting, and patching of flaws like this XSS vulnerability, as addressed in CtrlPanel version 1.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in ticket priority field allows arbitrary JavaScript execution in moderator browser context upon viewing, directly enabling session hijacking, cookie theft, and related impacts as described.
NVD Description
CtrlPanel is open-source billing software for hosting providers. Prior to version 1.0, a Cross-Site Scripting (XSS) vulnerability exists in the `TicketsController` and `Moderation/TicketsController` due to insufficient input validation on the `priority` field during ticket creation and unsafe rendering of this…
more
field in the moderator panel. Version 1.0 contains a patch for the issue.
Deeper analysisAI
CVE-2025-25203 is a Cross-Site Scripting (XSS) vulnerability in CtrlPanel, an open-source billing software for hosting providers, affecting versions prior to 1.0. The flaw exists in the `TicketsController` and `Moderation/TicketsController` due to insufficient input validation on the `priority` field during ticket creation, combined with unsafe rendering of this field in the moderator panel. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-79.
An authenticated attacker with low privileges, such as a user able to create support tickets, can exploit this over the network with low attack complexity and no user interaction required. Exploitation injects malicious payloads into the `priority` field, which are then executed as JavaScript in the moderator panel's context upon viewing, enabling high confidentiality and integrity impacts like session theft, data exfiltration, or unauthorized modifications.
CtrlPanel version 1.0 addresses the issue with a patch. Administrators should upgrade immediately to mitigate. Additional details are available in the patch commit at https://github.com/Ctrlpanel-gg/panel/commit/393cbde662c7e54829e296eb5815794490d925c7 and the GitHub security advisory at https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-2q43-grv2-jxwh.
Details
- CWE(s)