CVE-2025-11962 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting DivvyDrive Information Technologies Inc.'s Digital Corporate Warehouse software versions prior to 4.8.2.22. The vulnerability stems from improper neutralization of input during the generation of web pages, which allows malicious actors to inject and store executable scripts within the application. When other users access the affected pages, these scripts execute in their browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or data exfiltration. The vulnerability requires the attacker to have limited privileges (PR:L) and user interaction (UI:R), such as tricking a user into viewing a maliciously crafted page or content. The CVSS v3.1 base score is 7.3, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the sensitive nature of corporate data managed by Digital Corporate Warehouse. The lack of a patch link suggests that remediation involves upgrading to version 4.8.2.22 or later, where the issue is resolved. The vulnerability's exploitation could allow attackers to compromise user sessions, steal sensitive information, or perform unauthorized actions within the affected environment.

For European organizations, the impact of CVE-2025-11962 can be substantial, especially for enterprises relying on Digital Corporate Warehouse to manage sensitive corporate data and documents. Successful exploitation could lead to unauthorized disclosure of confidential information, including intellectual property, financial data, or personal data protected under GDPR. This could result in regulatory penalties, reputational damage, and operational disruptions. The integrity of corporate data could be compromised, enabling attackers to manipulate stored information or perform unauthorized transactions. Although availability is not directly affected, the indirect consequences of data breaches and trust erosion can disrupt business continuity. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit, increasing the risk in environments with less stringent user awareness training. Given the high CVSS score and the stored nature of the XSS, the threat is persistent and can affect multiple users over time if not remediated promptly.

European organizations should immediately upgrade Digital Corporate Warehouse to version 4.8.2.22 or later, where this vulnerability is addressed. In parallel, implement strict input validation and output encoding on all user-supplied data to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct regular security awareness training to reduce the risk of social engineering attacks that could trigger stored XSS exploitation. Monitor web application logs and user activity for unusual behavior indicative of XSS exploitation attempts. Use web application firewalls (WAF) configured to detect and block XSS payloads targeting Digital Corporate Warehouse. Additionally, perform periodic security assessments and penetration testing focused on web application vulnerabilities to identify and remediate similar issues proactively. Ensure that incident response plans include procedures for handling XSS incidents and potential data breaches.