CVE-2025-10614 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the itsourcecode E-Logbook with Health Monitoring System for COVID-19. The vulnerability exists in the /print_reports_prev.php file, specifically in the handling of the 'profile_id' parameter. An attacker can manipulate this argument to inject malicious scripts that execute in the context of the victim's browser. This type of vulnerability allows an attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of the user. The vulnerability is remotely exploitable without requiring authentication, although it requires user interaction (e.g., the victim must visit a crafted URL). The CVSS 4.0 base score is 5.3, indicating a medium severity level, with the vector showing network attack vector, low attack complexity, no privileges required, user interaction needed, and limited impact on integrity but no impact on confidentiality or availability. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known exploits in the wild have been reported yet. Given the product's focus on COVID-19 health monitoring, it is likely used by healthcare providers or organizations involved in pandemic response, making the confidentiality and integrity of health data a concern. The vulnerability could be leveraged to target users of the system, potentially leading to phishing or session hijacking attacks within the healthcare context.

For European organizations, especially those involved in healthcare and pandemic management, this vulnerability poses a risk to the integrity and trustworthiness of health monitoring data. Exploitation could lead to unauthorized actions performed in the context of legitimate users, potentially disrupting health monitoring workflows or exposing sensitive health-related information indirectly through session hijacking or social engineering. While the direct confidentiality impact is limited, the integrity impact could affect decision-making based on compromised data. Additionally, the presence of malicious scripts could undermine user trust and compliance with data protection regulations such as GDPR. The medium severity suggests that while the threat is not critical, it should be addressed promptly to prevent escalation or chaining with other vulnerabilities. The remote exploitability without authentication increases the attack surface, especially if the system is accessible over the internet or within large organizational networks.

1. Immediate patching or upgrading to a fixed version of the E-Logbook system once available is the most effective mitigation. 2. In the absence of an official patch, implement input validation and output encoding on the 'profile_id' parameter to neutralize malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the application context. 4. Conduct a thorough security review of all user input handling in the application, focusing on parameters that are reflected in responses. 5. Educate users to be cautious about clicking on unknown or suspicious links related to the system. 6. Monitor web server logs for unusual requests targeting the vulnerable parameter to detect potential exploitation attempts. 7. Restrict access to the application to trusted networks or through VPNs to reduce exposure. 8. Implement multi-factor authentication and session management best practices to limit the impact of session hijacking if it occurs.