CVE-2025-23920 is a reflected Cross-site Scripting (XSS) vulnerability identified in the ApplicantPro product developed by Sourcing Team, affecting all versions up to and including 1.3.9. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows an attacker to inject malicious JavaScript code that is reflected back to the victim's browser. This type of vulnerability is commonly exploited by crafting malicious URLs or input fields that, when accessed by a user, execute arbitrary scripts in their browser context. The impact of such an attack can include theft of session cookies, enabling account takeover, defacement of web content, or redirection to malicious sites. ApplicantPro is widely used as an applicant tracking system (ATS) and recruitment management platform, which processes sensitive personal data of job applicants and HR personnel. The vulnerability does not require prior authentication, increasing its risk profile, but does require user interaction, such as clicking a malicious link. No public exploits or patches are currently available, and the vulnerability was published in early 2025. The absence of a CVSS score necessitates an expert severity assessment. Given the nature of reflected XSS vulnerabilities, the ease of exploitation, and the sensitivity of data handled by ApplicantPro, this vulnerability poses a significant risk to organizations relying on this software for recruitment and applicant management.

The primary impact of CVE-2025-23920 is on the confidentiality and integrity of user data within ApplicantPro environments. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, potentially gaining unauthorized access to sensitive applicant information and HR workflows. This can result in data breaches involving personally identifiable information (PII), which may have legal and reputational consequences for affected organizations. Additionally, attackers could perform unauthorized actions on behalf of users, such as modifying applicant data or injecting malicious content into the recruitment portal. Although availability impact is limited, the trustworthiness of the affected system is compromised. The vulnerability's ease of exploitation without authentication and the widespread use of ApplicantPro in recruitment processes globally amplify the potential impact. Organizations handling large volumes of applicant data or operating in regulated industries (e.g., finance, healthcare) face heightened risks. The lack of known exploits in the wild currently reduces immediate threat but does not diminish the urgency for remediation.

1. Apply patches or updates from Sourcing Team as soon as they become available to address the vulnerability directly. 2. Implement strict input validation and output encoding on all user-supplied data to prevent malicious scripts from being injected and executed. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Conduct regular security assessments and penetration testing focused on web application vulnerabilities, including XSS. 5. Educate users, especially HR personnel, about the risks of clicking suspicious links or opening untrusted content related to ApplicantPro portals. 6. Monitor web application logs for unusual requests or patterns indicative of attempted XSS exploitation. 7. Consider implementing Web Application Firewalls (WAF) with rules tailored to detect and block reflected XSS payloads targeting ApplicantPro. 8. Limit the exposure of ApplicantPro interfaces to trusted networks or VPNs where feasible to reduce attack surface. 9. Review and harden session management mechanisms to mitigate the impact of session hijacking if exploitation occurs.