CVE-2025-23767 identifies a stored cross-site scripting (XSS) vulnerability in the revoxis Marmoset Viewer, a web-based application used for rendering and interacting with 3D models or similar content. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and stored persistently within the application. When other users access the affected pages, the malicious payload executes in their browsers under the context of the vulnerable site. This can lead to a range of attacks including session hijacking, theft of sensitive information, or execution of unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 1.9.3, with no patch currently linked or available. No authentication or special privileges are required to exploit this vulnerability, and user interaction is limited to visiting a compromised page. Although no known exploits have been reported in the wild, the nature of stored XSS makes it a significant risk, especially in environments where Marmoset Viewer is integrated into critical workflows or exposed to untrusted users. The lack of a CVSS score necessitates an expert severity assessment based on the impact and exploitability characteristics.

The impact of CVE-2025-23767 on organizations worldwide can be substantial, particularly for those that deploy revoxis Marmoset Viewer in environments accessible to untrusted or external users. Stored XSS vulnerabilities allow attackers to inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, credential theft, defacement, or unauthorized actions performed with the victim's privileges. This can compromise the confidentiality and integrity of user data and may also affect availability if attackers leverage the vulnerability to conduct further attacks such as phishing or malware distribution. Organizations using Marmoset Viewer in sensitive sectors like education, design, or manufacturing could face reputational damage and operational disruption. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes public knowledge. The scope is limited to deployments of the affected software versions, but given the ease of exploitation and lack of authentication requirements, the potential impact is high for exposed systems.

To mitigate CVE-2025-23767, organizations should take the following specific actions: 1) Monitor the vendor’s official channels for patches or updates addressing this vulnerability and apply them promptly once available. 2) Implement strict input validation and sanitization on all user-supplied data before it is processed or rendered by the Marmoset Viewer to prevent injection of malicious scripts. 3) Apply output encoding techniques to ensure that any dynamic content is safely rendered in the browser context. 4) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 5) Conduct regular security assessments and code reviews focusing on input handling and output generation within the application. 6) Restrict access to Marmoset Viewer instances to trusted users or networks where feasible, reducing exposure to untrusted input. 7) Educate users about the risks of clicking unknown links or interacting with untrusted content within the viewer environment. These measures, combined, will reduce the likelihood and impact of exploitation until an official patch is released.