CVE-2025-23745 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the 'Call me Now' product by Tussendoor B.V., affecting all versions up to and including 1.0.5. CSRF vulnerabilities allow attackers to trick authenticated users into submitting unauthorized requests to a web application, exploiting the user's active session. In this case, the CSRF flaw facilitates Stored Cross-Site Scripting (XSS), meaning that malicious scripts injected by an attacker can be permanently stored on the server and executed in the context of other users' browsers. This combination significantly elevates the risk, as CSRF alone typically causes state changes, but here it leads to persistent script injection, which can steal cookies, hijack sessions, or perform actions on behalf of users. The vulnerability was published on January 16, 2025, with no CVSS score assigned and no known exploits reported in the wild. The absence of patches or mitigations from the vendor at the time of publication increases the urgency for organizations to implement defensive controls. The vulnerability impacts the confidentiality, integrity, and availability of affected systems by enabling unauthorized actions and persistent malicious code execution. Exploitation requires the victim to be authenticated and visit a malicious site or click a crafted link, but no additional user interaction beyond this is necessary. The scope includes all users of the affected product versions, which are used primarily in web environments to facilitate user communication via 'call me now' features. The vulnerability highlights the importance of secure session management, input sanitization, and anti-CSRF protections in web applications.

The impact of CVE-2025-23745 is significant for organizations using the 'Call me Now' product, as it allows attackers to perform unauthorized actions via CSRF and inject persistent malicious scripts through Stored XSS. This can lead to session hijacking, credential theft, unauthorized data modification, and potential compromise of user accounts. The persistent nature of the XSS increases the risk of widespread exploitation across users of the application. Organizations may face data breaches, loss of user trust, regulatory penalties, and operational disruptions. Since the vulnerability affects web-based communication tools, it could also be leveraged to target customer-facing portals, increasing reputational damage. The lack of known exploits in the wild currently limits immediate risk, but the vulnerability's public disclosure raises the likelihood of future exploitation attempts. The requirement for user authentication and victim interaction (visiting a malicious site) somewhat limits the attack vector but does not eliminate the threat. Overall, the vulnerability poses a high risk to confidentiality, integrity, and availability of affected systems and user data.

To mitigate CVE-2025-23745, organizations should implement robust anti-CSRF protections such as synchronizer tokens or double-submit cookies to ensure that state-changing requests are legitimate. Input validation and output encoding should be enforced rigorously to prevent Stored XSS payloads from being injected or executed. Web application firewalls (WAFs) can provide temporary protection by detecting and blocking suspicious requests. Monitoring and logging user actions can help detect anomalous behavior indicative of exploitation attempts. Organizations should engage with the vendor for patches or updates and apply them promptly once available. Additionally, educating users about the risks of clicking untrusted links and employing Content Security Policy (CSP) headers can reduce the impact of XSS attacks. Regular security assessments and penetration testing focused on CSRF and XSS vulnerabilities are recommended to identify and remediate weaknesses proactively. For immediate risk reduction, disabling or restricting the vulnerable 'Call me Now' functionality until patched may be necessary in high-risk environments.