CVE-2025-10253 is a cross-site scripting (XSS) vulnerability identified in openDCIM version 23.04, specifically within the /scripts/uploadifive.php file that handles SVG file uploads. The vulnerability arises from improper sanitization or validation of the 'Filedata' argument, which an attacker can manipulate to inject malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript code in the context of the victim's browser when they interact with the vulnerable component. The vulnerability does not require authentication (PR:L indicates low privileges), but does require user interaction (UI:P), such as clicking a crafted link or visiting a malicious page that triggers the exploit. The CVSS 4.0 base score is 5.1, categorizing it as a medium severity issue. The attack vector is network-based (AV:N), with low attack complexity (AC:L), and no privileges required (PR:L). The impact on confidentiality is none, integrity is low, and availability is none, indicating the primary risk is client-side script execution leading to potential session hijacking, phishing, or other client-targeted attacks. The vendor has not responded to the disclosure, and no patches are currently available. While no known exploits are reported in the wild, the public disclosure increases the risk of exploitation attempts. openDCIM is an open-source data center infrastructure management tool used to track assets, power, and cooling in data centers, making it a critical tool for organizations managing physical IT infrastructure.

For European organizations, the impact of this XSS vulnerability in openDCIM can be significant, especially for those relying on this tool for managing data center infrastructure. Successful exploitation could allow attackers to execute malicious scripts within the browsers of administrators or users accessing the openDCIM interface, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This could compromise the integrity of data center management operations, leading to unauthorized changes in asset tracking or configuration data. While the vulnerability does not directly impact system availability or confidentiality of backend data, the indirect effects of compromised user sessions could escalate to broader security incidents. Given the critical role of data centers in European enterprises, including financial institutions, telecommunications, and government agencies, exploitation could disrupt operational continuity and erode trust in IT management systems. The lack of vendor response and absence of patches increases the urgency for organizations to implement compensating controls. Additionally, the requirement for user interaction means that social engineering or phishing campaigns could be used to facilitate exploitation, increasing the threat surface.

1. Implement strict input validation and sanitization on the 'Filedata' parameter in the uploadifive.php script to neutralize malicious scripts. Since no official patch is available, organizations should consider applying custom code fixes or disabling the vulnerable upload functionality temporarily. 2. Restrict access to the openDCIM web interface to trusted networks and users using network segmentation, VPNs, or IP whitelisting to reduce exposure to remote attackers. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing openDCIM. 4. Educate users and administrators about the risks of clicking untrusted links or opening suspicious emails that could trigger XSS attacks. 5. Monitor web server logs and application behavior for unusual requests or signs of attempted exploitation. 6. Consider deploying web application firewalls (WAFs) with rules targeting XSS payloads to detect and block malicious requests. 7. Regularly back up openDCIM configuration and data to enable recovery in case of compromise. 8. Engage with the openDCIM community or consider contributing a patch to address the vulnerability, given the vendor's lack of response.