CVE-2025-32961 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the cuba-platform's jpawebapi component prior to version 1.1.1. The cuba-platform's JPA web API facilitates loading and saving entities defined in an application's data model via simple HTTP requests. The vulnerability arises from improper neutralization of input during web page generation, specifically related to the handling of an input parameter that includes a file path and name. When the 'name' portion of this parameter ends with the '.html' extension, the API responds with a Content-Type header set to 'text/html'. This behavior can be exploited if an attacker manages to upload a malicious HTML file containing JavaScript code. When a victim's browser loads this file, the malicious script executes in the context of the vulnerable web application, potentially leading to session hijacking, credential theft, or other malicious actions typical of XSS attacks. The vulnerability requires a prior step where the attacker uploads a malicious file, indicating that some level of access or functionality to upload files is necessary. The issue has been addressed in cuba-platform jpawebapi version 1.1.1, and a workaround is documented on the Jmix documentation website. There are no known exploits in the wild as of the publication date (April 22, 2025).

For European organizations using the cuba-platform jpawebapi versions prior to 1.1.1, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data accessed via the affected web applications. Successful exploitation could allow attackers to execute arbitrary JavaScript in users' browsers, potentially leading to theft of authentication tokens, user impersonation, unauthorized actions, or distribution of malware. The impact is heightened in environments where sensitive data is handled or where users have elevated privileges. Since exploitation requires prior file upload capability, the risk is compounded in scenarios where file upload controls are weak or insufficiently monitored. This vulnerability could disrupt trust in web applications, lead to data breaches, and cause compliance issues under European data protection regulations such as GDPR. The availability impact is limited, as the vulnerability does not directly cause denial of service. However, reputational damage and operational disruptions could indirectly affect service availability.

1. Immediate upgrade to cuba-platform jpawebapi version 1.1.1 or later to apply the official patch addressing this vulnerability. 2. If immediate upgrade is not feasible, implement the documented workaround from the Jmix documentation, which likely involves sanitizing or validating the input parameter to prevent the Content-Type header from being set to 'text/html' for untrusted inputs. 3. Harden file upload mechanisms by enforcing strict validation on file types, names, and content to prevent malicious HTML or script files from being uploaded. 4. Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and loading of untrusted resources, mitigating the impact of any injected scripts. 5. Employ HTTP-only and secure flags on cookies to reduce the risk of session hijacking via XSS. 6. Conduct regular security audits and penetration testing focusing on file upload functionalities and input validation. 7. Monitor web application logs for unusual file upload activities or requests containing '.html' extensions in parameters. 8. Educate developers and administrators on secure coding practices related to input sanitization and output encoding to prevent similar vulnerabilities.