CVE-2025-40615 is a reflected Cross-Site Scripting (XSS) vulnerability identified in all versions of the Bookgy application, specifically within the /api/api_ajustes.php endpoint. The vulnerability arises from improper neutralization of user input in the "TEXTO" parameter, which allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser. This type of XSS attack is classified under CWE-79, indicating that the application fails to adequately sanitize or encode user-supplied data before including it in dynamically generated web pages. The vulnerability is exploitable remotely without requiring authentication (AV:N, PR:N) and has a low attack complexity (AC:L). However, it requires user interaction (UI:A), meaning the victim must be tricked into clicking a crafted malicious URL. The vulnerability does not impact confidentiality, integrity, or availability directly (VC:N, VI:N, VA:N), but it can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user if exploited. The CVSS 4.0 base score is 5.1, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved and published in April 2025, with INCIBE as the assigner. The reflected nature of the XSS means the malicious payload is not stored on the server but reflected immediately in the response, which typically limits the scope but still poses significant risk to end users interacting with the vulnerable endpoint.

For European organizations using Bookgy, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data. Attackers can craft malicious URLs that, when clicked by employees or customers, execute arbitrary JavaScript in their browsers. This can lead to theft of session cookies, enabling account takeover, unauthorized actions within the application, or redirection to malicious sites. While the vulnerability does not directly affect system availability or backend data integrity, the indirect consequences such as compromised user accounts or reputational damage can be significant. Organizations in sectors with sensitive data or regulatory requirements (e.g., finance, healthcare, public sector) may face compliance risks if user data is exposed or manipulated. Additionally, phishing campaigns leveraging this vulnerability could increase the attack surface. The lack of authentication requirement and low complexity of exploitation increase the likelihood of successful attacks, especially in environments where users are not trained to recognize suspicious URLs. Given that all versions of Bookgy are affected, organizations that have not implemented mitigations or workarounds remain vulnerable.

1. Immediate implementation of input validation and output encoding on the "TEXTO" parameter in /api/api_ajustes.php to neutralize malicious scripts before rendering. Use context-aware encoding libraries to prevent injection. 2. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable parameter. 3. Educate users and employees about the risks of clicking unsolicited or suspicious URLs, especially those containing unusual query parameters. 4. Monitor web server logs for unusual requests to /api/api_ajustes.php with suspicious "TEXTO" parameter values to detect potential exploitation attempts. 5. If possible, implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 6. Coordinate with Bookgy vendor or community to obtain or develop patches and apply them promptly once available. 7. Consider temporary disabling or restricting access to the vulnerable endpoint if feasible until a patch is released. 8. Conduct regular security assessments and penetration testing focusing on input validation to identify similar vulnerabilities.