CVE-2025-23607 identifies a reflected Cross-site Scripting (XSS) vulnerability in the CAMOO SMS product developed by Camoo Sarl, affecting all versions up to and including 3.0.1. The root cause is improper neutralization of user-supplied input during web page generation, which allows attackers to inject malicious JavaScript code into web pages viewed by other users. This vulnerability is classified as reflected XSS, meaning the malicious payload is embedded in a link or request and reflected back in the server's response without proper sanitization. When a victim clicks on a crafted URL or interacts with a maliciously crafted input, the injected script executes in their browser context. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of the user, or redirection to malicious websites. The vulnerability does not require authentication, increasing its risk profile, but does require user interaction to trigger the attack. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability affects the CAMOO SMS product, which is a messaging platform used primarily in certain regional markets. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations. The technical details confirm the issue was reserved and published in January 2025. Given the nature of reflected XSS, the attack surface includes any web interface components that process user input and reflect it in responses without proper encoding or sanitization.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions. Successful exploitation can allow attackers to steal session cookies, enabling account takeover, or perform actions on behalf of authenticated users, potentially leading to unauthorized access or data manipulation. It can also facilitate phishing attacks by redirecting users to malicious sites or displaying deceptive content. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory penalties if sensitive data is compromised. Availability impact is generally low for reflected XSS but could be indirectly affected if attackers deface web interfaces or cause user disruption. Since CAMOO SMS is a messaging platform, compromise could affect communication integrity and confidentiality, critical for business operations. The lack of authentication requirement and ease of exploitation increase the risk, especially if users are tricked into clicking malicious links. Organizations relying on CAMOO SMS for internal or customer communications are particularly vulnerable to these impacts.

Organizations should monitor Camoo Sarl's official channels for patches addressing CVE-2025-23607 and apply them promptly once available. Until a patch is released, implement strict input validation and output encoding on all user-supplied data reflected in web pages to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Educate users about the risks of clicking untrusted links and encourage cautious behavior. Use web application firewalls (WAFs) to detect and block common XSS attack patterns targeting CAMOO SMS interfaces. Conduct regular security assessments and code reviews focusing on input handling in web components. Additionally, consider isolating the CAMOO SMS application environment to limit potential lateral movement if exploitation occurs. Logging and monitoring for suspicious activities related to web requests can help detect exploitation attempts early. Finally, ensure that session management mechanisms use secure, HttpOnly, and SameSite cookie attributes to reduce session hijacking risks.