CVE-2025-52360
Published: 25 July 2025
Summary
CVE-2025-52360 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-52360 is a Cross-Site Scripting (XSS) vulnerability, mapped to CWE-79, in the OPAC search feature of the Koha Library Management System version 24.05. Unsanitized user input entered into the search field is reflected without proper escaping in the search history interface. This allows arbitrary JavaScript code to execute in the victim's browser context when they interact with the search history. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by remote attackers with no privileges required, though it depends on user interaction. An attacker could entice a legitimate user—such as a library patron—to perform a search using a specially crafted payload via social engineering, such as a phishing link or malicious suggestion. Upon viewing the search history interface, the reflected input triggers JavaScript execution in the user's session, enabling theft of session tokens, cookies, or other sensitive data, manipulation of the DOM, or actions impersonating the user within the OPAC context.
Mitigation details are available in the referenced advisory at https://gist.github.com/MerttTuran/32289a1d3c173f0b7934237c1696bef1, published alongside the CVE on 2025-07-25.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22709
Vulnerability details
A Cross-Site Scripting (XSS) vulnerability exists in the OPAC search feature of Koha Library Management System v24.05. Unsanitized input entered in the search field is reflected in the search history interface, leading to the execution of arbitrary JavaScript in the…
more
browser context when the user interacts with the interface.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing web app (T1190) directly enables arbitrary JavaScript execution (T1059.007) for session cookie theft (T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of unsanitized user inputs in the OPAC search field to prevent injection of arbitrary JavaScript payloads.
Mandates output filtering and encoding in the search history interface to block execution of reflected malicious scripts in the victim's browser.
Ensures timely identification, reporting, and remediation of the specific XSS flaw in Koha v24.05 OPAC via patching or code corrections.