CVE-2025-23777 is a stored cross-site scripting (XSS) vulnerability identified in the GDPR Personal Data Reports software developed by willowsconsulting, affecting all versions up to and including 1.0.5. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored persistently within the application. When a victim accesses the affected page, the injected script executes in their browser context, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. Stored XSS is particularly dangerous because the malicious payload is saved on the server and served to multiple users, increasing the attack surface. Although no public exploits have been reported yet, the vulnerability is publicly disclosed and thus may attract attackers. The affected product is used for managing GDPR personal data reports, which likely contain sensitive personal information, increasing the risk of data exposure or manipulation. The absence of a CVSS score requires an assessment based on the nature of the vulnerability: stored XSS vulnerabilities generally have a high impact on confidentiality and integrity, moderate impact on availability, and are moderately easy to exploit without authentication if the interface is publicly accessible. The vulnerability affects organizations that deploy this software, especially those in jurisdictions with strict GDPR compliance requirements. The lack of available patches at the time of disclosure necessitates immediate mitigation steps to reduce risk.

The primary impact of CVE-2025-23777 is on the confidentiality and integrity of data handled by GDPR Personal Data Reports. Successful exploitation can lead to theft of session cookies, enabling attackers to impersonate legitimate users, including administrators, which could result in unauthorized access to sensitive personal data. Attackers may also manipulate displayed data or perform actions on behalf of users, undermining data integrity and trustworthiness. The stored nature of the XSS means multiple users can be affected once the malicious payload is injected. This can lead to widespread compromise within an organization using the vulnerable software. Additionally, the exposure of personal data could result in regulatory penalties under GDPR, reputational damage, and loss of customer trust. While availability impact is less direct, attackers could use XSS to conduct phishing or social engineering attacks, potentially leading to further compromise. Organizations worldwide that rely on this product for GDPR compliance reporting face increased risk, particularly those with publicly accessible instances of the software or those with users who have elevated privileges.

Organizations should immediately audit their deployments of GDPR Personal Data Reports to identify affected versions (<=1.0.5). Since no patches are currently available, implement the following mitigations: 1) Employ strict input validation on all user-supplied data to reject or sanitize potentially malicious content before storage. 2) Apply comprehensive output encoding/escaping on all data rendered in web pages to prevent script execution. 3) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS. 4) Limit access to the application interface to trusted users and networks where feasible, reducing exposure. 5) Monitor logs and user activity for signs of suspicious behavior indicative of exploitation attempts. 6) Prepare to apply vendor patches promptly once released. 7) Educate users about the risks of clicking on suspicious links or interacting with unexpected content within the application. These steps go beyond generic advice by focusing on both immediate risk reduction and long-term remediation.