CVE-2025-22824 identifies a stored cross-site scripting (XSS) vulnerability in the lucia.intelisano Live Flight Radar software, versions up to and including 1.0. This vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and persist within the application. Stored XSS vulnerabilities are particularly dangerous because the malicious payload is saved on the server and served to multiple users, increasing the attack surface. An attacker can exploit this flaw by submitting crafted input that is then rendered without proper sanitization, enabling execution of arbitrary JavaScript in the context of other users’ browsers. Potential consequences include theft of session cookies, redirection to malicious sites, unauthorized actions performed on behalf of users, and distribution of malware. The vulnerability does not require authentication or user interaction beyond visiting a compromised page, making it easier to exploit. Although no public exploits have been reported yet, the risk remains significant given the nature of the flaw. The absence of an official patch at the time of publication increases the urgency for organizations to implement interim mitigations. The affected product, Live Flight Radar, is used for real-time flight tracking, which may be integrated into aviation monitoring, logistics, and travel-related services, amplifying the potential impact. The vulnerability was reserved and published in early January 2025, with no CVSS score assigned yet.

The stored XSS vulnerability in Live Flight Radar can have severe consequences for organizations and users worldwide. Attackers can hijack user sessions, steal sensitive information such as authentication tokens or personal data, and perform unauthorized actions on behalf of users. This can lead to data breaches, loss of user trust, and potential regulatory penalties. Additionally, attackers may use the vulnerability to distribute malware or phishing content, further compromising affected systems. For organizations relying on Live Flight Radar for aviation tracking or logistics, exploitation could disrupt operational workflows or lead to misinformation. The persistence of the malicious script increases the risk of widespread impact across all users accessing the affected pages. Since no authentication is required, the attack surface includes all users of the platform, including administrators and external clients. The lack of a patch at the time of disclosure means organizations must act quickly to mitigate risk. Overall, the vulnerability threatens confidentiality, integrity, and availability of user data and services.

To mitigate CVE-2025-22824, organizations should first monitor for any official patches or updates from lucia.intelisano and apply them immediately once available. In the interim, implement strict input validation and output encoding on all user-supplied data rendered in web pages to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Conduct thorough code reviews and penetration testing focused on input handling and web page generation components. Limit user privileges to reduce the potential damage from compromised accounts. Additionally, consider deploying web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting Live Flight Radar endpoints. Educate users about the risks of clicking suspicious links or interacting with untrusted content within the platform. Maintain regular backups and incident response plans to quickly recover from potential compromises. Finally, monitor logs and user activity for signs of exploitation attempts or unusual behavior.