CVE-2025-23772 is a stored Cross-site Scripting (XSS) vulnerability affecting the imaGenius web application developed by Eugenio Petulla. The flaw stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently on the server and executed in the browsers of users who access the affected pages. This type of vulnerability is particularly dangerous because it can be used to steal session cookies, perform actions on behalf of users, deface websites, or deliver malware. The affected versions include all releases up to and including version 1.7. No CVSS score has been assigned yet, and no patches or official fixes have been released at the time of publication. There are no known active exploits in the wild, but the nature of stored XSS makes it a high-risk issue once weaponized. The vulnerability does not require authentication to exploit, but successful exploitation requires that a victim user visits a maliciously crafted or compromised page. The vulnerability is classified under improper input neutralization during web page generation, a common and well-understood web security issue. Organizations using imaGenius should be aware of this risk and implement appropriate mitigations to prevent exploitation.

The impact of CVE-2025-23772 is significant for organizations using the imaGenius platform, particularly those that handle sensitive user data or rely on the integrity of their web applications. Exploitation of this stored XSS vulnerability can lead to unauthorized access to user sessions, theft of credentials, and execution of arbitrary scripts in the context of users' browsers. This can result in data breaches, unauthorized actions performed on behalf of users, defacement of websites, and distribution of malware. The vulnerability undermines the confidentiality and integrity of user data and can damage organizational reputation. Since the vulnerability is stored XSS, it affects all users who access the compromised content, increasing the scope of impact. The ease of exploitation without authentication and lack of user awareness about the malicious payload further exacerbate the risk. Organizations in sectors such as media, creative industries, and any business using imaGenius for image or content management are particularly vulnerable. The absence of patches means that the risk remains until mitigations or updates are applied.

To mitigate CVE-2025-23772, organizations should immediately implement strict input validation and output encoding on all user-supplied data within the imaGenius application. Specifically, all inputs that are reflected or stored and later rendered in web pages must be sanitized to neutralize HTML and JavaScript code. Employing a robust web application firewall (WAF) with rules designed to detect and block XSS payloads can provide an additional layer of defense. Until an official patch is released, consider disabling or restricting features that allow users to submit content that is rendered without proper sanitization. Conduct thorough code reviews and penetration testing focused on XSS vulnerabilities. Educate users about the risks of clicking on suspicious links or content within the application. Monitor logs and user reports for signs of exploitation attempts. Finally, maintain close communication with the vendor for updates and patches addressing this vulnerability.