CVE-2025-11308 is a cross-site scripting (XSS) vulnerability identified in Vanderlande Baggage 360 version 7.0.0, specifically affecting an unknown function within the /api-addons/v1/messages endpoint. The vulnerability arises from improper neutralization of user-controllable input in the 'Message' argument, allowing malicious scripts to be injected and executed in the context of other users' browsers. This is classified under CWE-79, which pertains to improper input sanitization leading to XSS. The attack can be initiated remotely without authentication, though it requires some user interaction to trigger the malicious payload. The exploit is publicly available as a proof-of-concept, increasing the risk of exploitation. The vendor has been contacted but has not responded or provided any patches or mitigation guidance. The CVSS v4.0 base score is 5.1 (medium severity), reflecting the ease of exploitation (low complexity, no privileges required), the requirement for user interaction, and limited impact on confidentiality and availability but some impact on integrity. The vulnerability could allow attackers to execute arbitrary scripts in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The MITRE ATT&CK technique T1059.007 (Command and Scripting Interpreter: JavaScript) is relevant here. No official patches or countermeasures are currently known, and the advisory suggests considering alternative products until a fix is available.

For European organizations, especially those operating airports or logistics centers using Vanderlande Baggage 360 7.0.0, this vulnerability poses a tangible risk. Baggage handling systems are critical infrastructure components in airports, and compromise could disrupt operations or lead to unauthorized access to internal systems via session hijacking or credential theft through XSS attacks. Although the vulnerability primarily affects the integrity of displayed content, successful exploitation could facilitate phishing or social engineering attacks targeting airport staff or passengers. Given the remote exploitability and public availability of the exploit, attackers could target European airports to cause operational disruptions or reputational damage. The lack of vendor response and patches increases the window of exposure. Furthermore, attackers might chain this XSS with other vulnerabilities to escalate privileges or move laterally within airport IT environments. The impact on availability is limited but cannot be ruled out if attackers use the XSS to inject disruptive scripts. Confidentiality impact is low but possible if session tokens or sensitive data are exposed via the XSS vector.

Since no official patches or vendor mitigations are available, European organizations should implement immediate compensating controls. First, apply strict input validation and output encoding on the 'Message' parameter at any proxy or web application firewall (WAF) level to block or sanitize malicious payloads targeting /api-addons/v1/messages. Deploy a WAF with custom rules to detect and block typical XSS attack patterns. Conduct thorough monitoring and logging of API traffic to detect anomalous requests. Limit user privileges and segregate the baggage handling system network from other critical IT infrastructure to reduce lateral movement risk. Educate users and staff about the risks of interacting with suspicious content that could trigger XSS payloads. If feasible, consider temporarily disabling or restricting access to the vulnerable API endpoint until a patch or vendor guidance is available. Evaluate alternative baggage handling solutions or updated versions of Vanderlande Baggage 360 that do not contain this vulnerability. Regularly review threat intelligence feeds for updates on exploit activity or vendor patches. Finally, implement Content Security Policy (CSP) headers where possible to mitigate the impact of XSS by restricting script execution sources.