CVE-2025-11682 is a stored cross-site scripting (XSS) vulnerability identified in the Perx Technologies Customer Engagement & Loyalty Platform, specifically within the LMT Dashboard component. The root cause is improper sanitization of SVG file uploads, which allows an authenticated attacker with high privileges to upload a malicious SVG file containing embedded JavaScript payloads. When other users access the public LMT microsite and view the compromised SVG image, the malicious script executes in their browsers. This execution can lead to session hijacking, unauthorized data access, or other malicious actions impacting confidentiality and integrity. The vulnerability affects all versions prior to 4.617.4. Exploitation requires authentication with high privileges and user interaction (viewing the malicious SVG). The CVSS 4.0 vector indicates a network attack vector with high complexity and user interaction required, but no privileges are needed to trigger the vulnerability once the malicious file is uploaded. No public exploit code is currently known. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-83 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The issue highlights the risks of insufficient input validation and sanitization of user-uploaded content, especially SVG files that can embed scripts. The platform is used for customer engagement and loyalty campaigns, often involving public-facing microsites, increasing the risk of exposure to end users.

For European organizations using the Perx Customer Engagement & Loyalty Platform, this vulnerability poses significant risks. Exploitation could lead to session hijacking of users, unauthorized access to sensitive customer data, and manipulation of loyalty campaigns or user accounts. This can damage customer trust, lead to regulatory non-compliance (e.g., GDPR breaches due to data theft), and cause reputational harm. Public-facing microsites displaying user-uploaded SVG images are particularly vulnerable, potentially exposing a broad user base to malicious scripts. The requirement for high privileges to upload malicious SVGs limits the attack surface to insiders or compromised accounts, but the impact remains high if exploited. The vulnerability could also be leveraged as a foothold for further attacks within the organization’s network. Given the high complexity and user interaction required, widespread automated exploitation is less likely, but targeted attacks against high-value customers or employees remain a concern.

1. Upgrade the Perx Customer Engagement & Loyalty Platform to version 4.617.4 or later once patches are released to address this vulnerability. 2. Temporarily disable or restrict SVG file uploads in the LMT Dashboard until a patch is applied. 3. Implement strict server-side sanitization and validation of all uploaded SVG files to remove or neutralize embedded scripts and potentially dangerous tags. 4. Employ Content Security Policy (CSP) headers on public microsites to restrict execution of unauthorized scripts and reduce the impact of XSS attacks. 5. Enforce the principle of least privilege for users with upload permissions to minimize the risk of malicious file uploads. 6. Monitor logs for suspicious upload activities and anomalous user behavior within the platform. 7. Educate users and administrators about the risks of uploading untrusted SVG content and the importance of security hygiene. 8. Conduct regular security assessments and penetration tests focusing on file upload functionalities and client-side script execution.