CVE-2025-10612 is a reflected Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting giSoft Information Technologies' City Guide software versions prior to 1.4.45. The vulnerability stems from improper neutralization of input during web page generation, allowing attackers to inject malicious JavaScript code that is reflected back to users without proper sanitization or encoding. When a victim clicks a crafted URL or interacts with malicious content, the injected script executes in their browser context, potentially stealing session cookies, performing actions on behalf of the user, or redirecting to malicious sites. The vulnerability requires no privileges (PR:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, potentially impacting the confidentiality and integrity of user data. The CVSS 3.1 score of 6.1 reflects a medium severity level, with partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The absence of patch links suggests that a fix may be forthcoming or that users should monitor vendor advisories. The vulnerability is particularly relevant for organizations deploying City Guide in web-facing environments, especially those serving tourists or city residents who may be targeted via phishing or social engineering campaigns.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive user information such as session tokens or personal data, enabling account hijacking or impersonation within the City Guide application. The integrity of user interactions may be compromised, allowing attackers to perform unauthorized actions or redirect users to malicious websites. While availability is not impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. Organizations operating in sectors reliant on City Guide for tourism, municipal services, or local business promotion are at higher risk, as attackers may exploit this vulnerability to target large user bases. The medium severity indicates that while the threat is not critical, it still warrants timely mitigation to prevent exploitation, especially given the potential for phishing campaigns leveraging this XSS flaw. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes widely known.

Organizations should implement multiple layers of defense to mitigate this vulnerability effectively. First, apply any available patches or updates from giSoft Information Technologies as soon as they are released. In the absence of patches, deploy web application firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting City Guide endpoints. Review and enhance input validation and output encoding mechanisms in the application code to ensure all user-supplied data is properly sanitized before rendering. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct user awareness training to educate users about the risks of clicking suspicious links, especially those purporting to be from City Guide or related services. Monitor logs and network traffic for unusual activity indicative of attempted XSS exploitation. Finally, coordinate with giSoft for timely vulnerability disclosures and remediation guidance, and consider isolating or restricting access to vulnerable City Guide instances until patched.