The vulnerability CVE-2025-28870 affects amoCRM WebForm versions up to 1.1 and involves improper neutralization of input during web page generation, leading to a DOM-Based Cross-site Scripting (XSS) issue. This allows an attacker with low privileges and requiring user interaction to inject and execute malicious scripts within the victim's browser context. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, required privileges, and user interaction, and impacts on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to limited disclosure of information, modification of data, or disruption of service. The impact is considered medium severity based on the CVSS score of 6.5. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should apply standard precautions such as limiting user privileges and avoiding interaction with untrusted inputs in the amoCRM WebForm environment. Monitor vendor communications for updates on patches or official mitigations.