CVE-2025-11308 is a stored Cross Site Scripting (XSS) vulnerability identified in Vanderlande Baggage 360 version 7.0.0, specifically within the /api-addons/v1/messages API endpoint. The vulnerability arises due to improper neutralization of user-controllable input in the 'Message' parameter, which is reflected in web pages served to other users without adequate sanitization, classified under CWE-79. This flaw allows remote attackers to inject malicious JavaScript code that executes in the context of victims’ browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions. Exploitation does not require authentication but does require victim user interaction to trigger the malicious payload. The CVSS v4.0 score is 5.1 (medium), reflecting ease of remote exploitation (attack vector: network), no privileges required, but user interaction needed. A public proof-of-concept exploit is available, increasing the risk of exploitation. The vendor, Vanderlande, was contacted early but has not provided any response or patch, leaving affected systems exposed. The vulnerability impacts the integrity of the system by allowing injection of unauthorized scripts, which can lead to further attacks such as credential theft or privilege escalation. The vulnerability is relevant to airport baggage handling systems, which are critical infrastructure components. No official mitigations or patches are currently available, and the exploit is publicly accessible on GitHub, raising the urgency for defensive measures. The MITRE ATT&CK technique T1059.007 (Command and Scripting Interpreter: JavaScript) is associated with this attack vector.

For European organizations, particularly airports and logistics operators using Vanderlande Baggage 360, this vulnerability poses a significant risk to operational integrity and security. Exploitation could allow attackers to execute arbitrary scripts within the baggage handling management interface, potentially leading to session hijacking, unauthorized access to sensitive operational data, or manipulation of baggage handling workflows. This could disrupt airport operations, cause delays, or facilitate further attacks on connected systems. Given the critical nature of airport infrastructure in Europe and the reliance on automated baggage systems, the impact could extend to passenger safety and trust. Additionally, attackers could leverage this vulnerability to pivot into broader network segments, compromising confidentiality and availability of other systems. The lack of vendor response and patch increases the window of exposure, making European airports attractive targets for opportunistic attackers or advanced persistent threat groups aiming to disrupt critical infrastructure.

Since no official patch or vendor mitigation is available, European organizations should implement the following specific measures: 1) Deploy Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the /api-addons/v1/messages endpoint, focusing on typical XSS attack patterns. 2) Implement strict input validation and output encoding on any user-controllable inputs in the baggage system interface, if customization or integration options exist. 3) Restrict access to the vulnerable API endpoint to trusted internal networks only, using network segmentation and access control lists to limit exposure. 4) Monitor logs and network traffic for unusual activity or repeated attempts to exploit the Message parameter. 5) Educate staff and users about the risks of interacting with suspicious links or inputs related to the baggage system interface to reduce successful user interaction exploitation. 6) Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the web interface. 7) Engage with Vanderlande for updates and push for timely patch release. 8) Evaluate alternative baggage handling solutions or temporary compensating controls if feasible. These targeted actions go beyond generic advice by focusing on the specific vulnerable endpoint and operational context.