CVE-2025-30902 identifies a reflected Cross-site Scripting (XSS) vulnerability in the AEC Kiosque software developed by ATL Software SRL. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows an attacker to inject malicious JavaScript code that is reflected back to the user's browser. This reflected XSS can be exploited by crafting malicious URLs or web requests that, when visited by a user, execute arbitrary scripts in the context of the affected web application. Such scripts can hijack user sessions, steal cookies, perform actions on behalf of the user, or redirect users to malicious sites. The affected versions include all releases up to and including version 1.9.3. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability does not require authentication, increasing its risk profile, and user interaction is limited to visiting a malicious link or page. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations. This vulnerability is typical of input validation flaws in web applications and highlights the importance of proper output encoding and input sanitization in dynamic web content generation.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions within the affected AEC Kiosque application. Successful exploitation can lead to session hijacking, theft of sensitive information such as authentication tokens or personal data, and unauthorized actions performed on behalf of the user. This can result in data breaches, unauthorized access to restricted areas, and potential compromise of backend systems if the application interfaces with other services. For organizations deploying AEC Kiosque in public-facing kiosks or customer interaction points, this vulnerability could be exploited to target end-users, leading to reputational damage and loss of customer trust. The reflected XSS nature means that attacks rely on social engineering, but the ease of crafting malicious URLs makes exploitation straightforward. The absence of known exploits in the wild currently limits immediate impact, but the vulnerability remains a significant risk if weaponized. Overall, the threat affects availability minimally but poses a high risk to confidentiality and integrity.

To mitigate this vulnerability, organizations should first monitor ATL Software SRL for official patches or updates addressing CVE-2025-30902 and apply them promptly once available. In the interim, implement strict input validation and output encoding on all user-supplied data within the AEC Kiosque application, especially in URL parameters and any reflected content. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Additionally, consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block reflected XSS attack patterns targeting AEC Kiosque endpoints. Educate users and administrators about the risks of clicking on suspicious links and implement URL filtering where possible. Regularly audit and test the application for other injection flaws and ensure secure coding practices are followed in future development. If feasible, isolate kiosk systems from sensitive internal networks to limit lateral movement in case of compromise.