CVE-2025-24635 is a reflected Cross-site Scripting (XSS) vulnerability identified in the Paytm Payment Donation product developed by integrationdevpaytm, affecting all versions up to and including 2.3.1. This vulnerability results from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is reflected back in the HTTP response. When a victim clicks on a crafted URL containing malicious payloads, the injected script executes within their browser under the domain of the vulnerable application. This can lead to theft of session cookies, user credentials, or other sensitive information, as well as unauthorized actions performed on behalf of the user. The vulnerability does not require authentication, making it easier for attackers to target a wide range of users. Although no public exploits have been reported, the presence of this vulnerability in a payment-related service increases the risk of financial fraud and reputational damage. The lack of a CVSS score necessitates an expert severity assessment, which considers the vulnerability's potential to compromise confidentiality and integrity, the ease of exploitation, and the broad scope of affected users. The vulnerability is particularly concerning given the widespread use of Paytm's payment services in India and other regions with growing digital payment ecosystems.

The impact of CVE-2025-24635 is significant for organizations using the Paytm Payment Donation product. Successful exploitation can lead to unauthorized disclosure of sensitive user information, including session tokens and personal data, enabling attackers to impersonate users or conduct fraudulent transactions. This undermines user trust and can result in financial losses both for end-users and the organizations facilitating payments. Additionally, attackers could use the vulnerability to deliver further malware or phishing attacks by redirecting users to malicious sites. The reflected XSS nature means the attack requires user interaction, but the widespread use of Paytm in digital payments amplifies the potential reach. Organizations may face regulatory penalties if user data is compromised, especially under data protection laws such as GDPR or India's IT Act. The reputational damage and operational disruption caused by exploitation could be severe, particularly for financial institutions and e-commerce platforms relying on Paytm's payment infrastructure.

To mitigate CVE-2025-24635, organizations should immediately update Paytm Payment Donation to a patched version once available. In the absence of a patch, implement strict input validation and output encoding on all user-supplied data reflected in web pages to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Use HTTP-only and secure flags on cookies to protect session tokens from theft via script access. Educate users to avoid clicking suspicious links and consider deploying web application firewalls (WAFs) with rules targeting reflected XSS payloads specific to this product. Regularly audit and test web applications for XSS vulnerabilities using automated scanners and manual penetration testing. Finally, monitor logs for unusual activity that may indicate exploitation attempts.