CVE-2025-10348 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Eveo URVE Smart Office product. The vulnerability exists in the 'report problem' functionality, where an attacker with a low-privileged account can upload an SVG file containing embedded malicious JavaScript payloads. Due to improper neutralization of input during web page generation, the malicious script is stored and later executed in the context of any user who visits the URL hosting the uploaded SVG resource. Notably, this resource is publicly accessible without requiring any authentication, significantly increasing the attack surface. The vulnerability allows attackers to execute arbitrary scripts in victims' browsers, potentially leading to session hijacking, credential theft, or further exploitation such as pivoting within the network. The CVSS 4.0 base score is 5.1 (medium), reflecting network attack vector, low attack complexity, no privileges required beyond a low-privileged account, and no user interaction beyond visiting the malicious URL. The vulnerability was fixed in version 1.1.24 of URVE Smart Office. No known exploits have been reported in the wild as of the publication date. The issue was reserved in September 2025 and published in October 2025 by CERT-PL.

For European organizations using vulnerable versions of URVE Smart Office, this XSS vulnerability poses risks including unauthorized script execution in users' browsers, which can lead to session hijacking, theft of sensitive information, and potential lateral movement within corporate networks. Since the malicious SVG resource is publicly accessible, attackers can easily distribute malicious links via phishing or other social engineering methods. The impact is heightened in environments where URVE Smart Office is integrated with other internal systems or handles sensitive office management data. Compromise could undermine confidentiality and integrity of user sessions and data. Additionally, the vulnerability could be leveraged as a foothold for more sophisticated attacks, especially in organizations with high-value targets or critical infrastructure. The medium severity score indicates a moderate risk, but the ease of exploitation and public accessibility of the malicious resource make timely patching critical.

European organizations should immediately verify their URVE Smart Office version and upgrade to version 1.1.24 or later, where the vulnerability is fixed. Until patching is complete, restrict access to the 'report problem' functionality and uploaded resources by implementing authentication and authorization controls to prevent public access. Employ web application firewalls (WAFs) with rules targeting SVG and script injection attempts to detect and block malicious payloads. Conduct user awareness training to recognize suspicious URLs and phishing attempts that may exploit this vulnerability. Regularly audit uploaded files for malicious content and sanitize inputs on the server side to prevent script execution. Implement Content Security Policy (CSP) headers to restrict script execution sources in browsers. Monitor logs for unusual access patterns to the report problem resource URLs. Finally, coordinate with Eveo support for any additional recommended mitigations or updates.