CVE-2025-28957 identifies a stored cross-site scripting (XSS) vulnerability in the OwnerRez API, a platform used for property management and booking services. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing malicious JavaScript code to be stored persistently within the application. When other users access the affected pages, the malicious scripts execute in their browsers under the context of the vulnerable domain. This can lead to theft of session cookies, redirection to malicious sites, or unauthorized actions performed with the victim's privileges. The affected versions include all OwnerRez API releases up to and including version 1.2.1. The vulnerability does not require user authentication to exploit, increasing its attack surface. No CVSS score has been assigned yet, and no patches or known exploits are currently available. The issue was reserved in March 2025 and published in July 2025. The lack of proper input sanitization and output encoding in the API's web page generation process is the root cause. This vulnerability is typical of stored XSS flaws, which are among the most dangerous XSS types due to their persistent nature and potential for widespread impact.

The impact of this stored XSS vulnerability can be significant for organizations using the OwnerRez API. Attackers can inject malicious scripts that execute in the browsers of users accessing affected pages, potentially leading to session hijacking, credential theft, unauthorized transactions, or defacement of web content. This compromises confidentiality and integrity of user data and can also affect availability if attackers use the vulnerability to conduct further attacks such as phishing or malware distribution. Since the vulnerability does not require authentication, any visitor or user interacting with the vulnerable API endpoints could be targeted. This broadens the scope of affected systems and increases risk. For organizations handling sensitive customer data or financial transactions via OwnerRez, the consequences could include data breaches, reputational damage, regulatory penalties, and financial loss. The absence of known exploits currently provides a window for remediation before active attacks emerge.

To mitigate this vulnerability, organizations should implement strict input validation and sanitization on all user-supplied data before it is stored or rendered in web pages. Employing context-aware output encoding (e.g., HTML entity encoding) when displaying data in the browser is critical to prevent script execution. OwnerRez should release a patch that properly neutralizes input during web page generation. Until a patch is available, organizations can implement Web Application Firewalls (WAFs) with rules to detect and block typical XSS payloads targeting the API. Security teams should conduct thorough code reviews and penetration testing focused on input handling and output encoding. Educating developers on secure coding practices and adopting Content Security Policy (CSP) headers can further reduce risk. Monitoring logs for suspicious input patterns and anomalous user behavior can help detect exploitation attempts early. Finally, organizations should keep abreast of updates from OwnerRez and apply patches promptly once released.