CVE-2025-11682 is a stored cross-site scripting vulnerability classified under CWE-79 and CWE-83, found in the Perx Technologies Customer Engagement & Loyalty Platform, particularly in the LMT Dashboard component. The vulnerability stems from insufficient sanitization of SVG file uploads, which are vector image files that can contain embedded scripts. An authenticated attacker with high privileges can upload a crafted SVG containing malicious JavaScript code as part of a campaign. When other users, including potentially less privileged or public users, view this SVG on the public-facing LMT microsite, the embedded script executes in their browser context. This execution can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions before 4.617.4. The CVSS 4.0 vector indicates that the attack requires authentication with high privileges, user interaction, and has a high impact on confidentiality, integrity, and availability, but the attack complexity is high and the scope is high, meaning the vulnerability can affect components beyond the initially vulnerable module. No patches are linked yet, and no known exploits have been observed in the wild. The issue was reserved and published in October 2025 by NCSC.ch, reflecting a recent disclosure. This vulnerability highlights the risks of improper input validation and the dangers of allowing SVG uploads without adequate sanitization in web applications.

For European organizations using the Perx Customer Engagement & Loyalty Platform, this vulnerability poses significant risks. Exploitation could lead to compromise of user sessions, allowing attackers to impersonate legitimate users and access sensitive customer data or internal campaign information. This could result in data breaches, loss of customer trust, and regulatory penalties under GDPR due to unauthorized data exposure. The public-facing nature of the LMT microsite increases the attack surface, potentially affecting a wide range of users including customers and employees. Additionally, attackers could leverage the vulnerability to perform further attacks within the network, impacting system integrity and availability. The requirement for high privilege authentication limits the attack vector primarily to insiders or compromised accounts, but the consequences remain severe. The high impact on confidentiality, integrity, and availability underscores the critical need for remediation in European markets where data protection regulations are stringent and customer engagement platforms are widely used.

European organizations should immediately verify their Perx Customer Engagement & Loyalty Platform version and upgrade to version 4.617.4 or later once available. Until patches are applied, implement strict file upload controls to restrict SVG uploads or convert SVGs to safer formats server-side. Employ robust input sanitization and validation libraries specifically designed to neutralize script content within SVG files. Enforce the principle of least privilege to limit user permissions, reducing the risk of high-privilege account compromise. Monitor logs for unusual file upload activity and anomalous behavior on the LMT microsite. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block malicious SVG payloads. Conduct regular security training for administrators to recognize phishing or social engineering attempts that could lead to credential compromise. Finally, perform thorough security assessments and penetration tests focusing on file upload functionalities and cross-site scripting vectors within the platform.