CVE-2025-10869 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79 affecting Oct8ne Chatbot version 2.3. The vulnerability occurs due to improper neutralization of input during web page generation, specifically when chat transcripts are created and sent via email. Attackers can inject malicious JavaScript payloads into the transcript data through the /Data/SaveInteractions endpoint. When the recipient opens the emailed transcript, the malicious script executes in their browser context, potentially stealing session cookies or performing unauthorized actions on their behalf. The vulnerability does not require authentication and can be triggered with user interaction (opening the email). The CVSS 4.0 score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction is necessary. Although no public exploits are currently known, the risk of exploitation exists due to the common use of chatbots and email-based transcript sharing. The vulnerability impacts confidentiality and integrity by enabling data theft and unauthorized actions. The lack of a patch link suggests a fix may not yet be available, increasing urgency for mitigation. The vulnerability was published on October 15, 2025, and assigned by INCIBE, indicating credible reporting.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of user data. Attackers exploiting this flaw can hijack user sessions, steal sensitive information, or perform actions impersonating legitimate users, potentially leading to data breaches or unauthorized transactions. Organizations using Oct8ne Chatbot 2.3, especially those relying on emailed chat transcripts for customer support or communication, face increased exposure. The impact is heightened in sectors handling sensitive personal or financial data, such as banking, healthcare, and e-commerce. Additionally, phishing campaigns leveraging malicious transcripts could amplify the threat. Although availability is not directly affected, the reputational damage and regulatory consequences under GDPR for data leakage could be significant. The medium severity score reflects that exploitation requires user interaction but no authentication, making it a realistic threat vector in operational environments.

1. Immediately review and restrict access to the /Data/SaveInteractions endpoint to trusted users or internal networks only. 2. Implement strict input validation and output encoding on all user-supplied data, especially in transcript generation and email rendering processes, to neutralize potentially malicious scripts. 3. Disable or limit the automatic emailing of chat transcripts until a vendor patch is available. 4. Educate users and support staff to recognize suspicious emails containing chat transcripts and avoid opening unexpected or unverified messages. 5. Monitor logs for unusual activity related to transcript creation or access patterns indicative of exploitation attempts. 6. Engage with Oct8ne vendor support to obtain or request a security patch addressing this vulnerability. 7. Consider deploying Content Security Policy (CSP) headers to mitigate the impact of injected scripts in browsers. 8. Use email security gateways to scan and filter malicious content in incoming emails. 9. Regularly update and audit chatbot software and dependencies to reduce exposure to known vulnerabilities.