CVE-2025-41084 is a stored Cross-Site Scripting (XSS) vulnerability categorized under CWE-79, found in the Sesame web application developed by SESAME LABS, S.L. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of uploaded SVG images. Attackers can exploit this by sending a crafted POST request to the '/api/v3/companies/<ID>/logo' endpoint, using the 'logo' parameter to upload an SVG file containing embedded malicious JavaScript code. Because the application does not sanitize the SVG content properly, the malicious script is stored on the server and later executed in the browser context of any user who views the affected resource, such as company logos displayed in the application. This stored XSS can lead to session hijacking, credential theft, unauthorized actions on behalf of users, or further exploitation of the victim’s browser environment. The vulnerability affects all versions of Sesame, indicating a systemic issue in input validation and sanitization mechanisms. The CVSS 4.0 vector indicates the attack is network exploitable without authentication (AV:N, PR:L), requires user interaction (UI:P), and has limited scope and impact on confidentiality, integrity, and availability (VC:N, VI:N, VA:N). No public exploits are currently known, but the risk remains due to the nature of stored XSS and its potential for abuse in multi-user environments.

For European organizations using the Sesame application, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data confidentiality. Stored XSS can be leveraged to steal authentication tokens, perform actions on behalf of users, or deliver further malware payloads. Organizations with public-facing Sesame deployments or those that allow multiple users to upload logos or images are particularly vulnerable. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR if personal data is exposed), and potential disruption of business operations. Since the vulnerability affects all versions, organizations without timely mitigation remain exposed. The medium CVSS score reflects moderate risk, but the ease of exploitation via network and the stored nature of the XSS increase the threat in environments with many users. European sectors such as finance, healthcare, and government using Sesame could face targeted attacks exploiting this flaw.

To mitigate CVE-2025-41084, organizations should implement strict server-side sanitization of all uploaded SVG files, removing or neutralizing any embedded scripts or potentially dangerous elements. Employing libraries specialized in secure SVG sanitization (e.g., DOMPurify configured for SVG) is recommended. Restrict the types of allowed SVG content to only essential graphical elements, disallowing script tags, event handlers, and external resource references. Additionally, enforce strong input validation on the '/api/v3/companies/<ID>/logo' endpoint to reject malformed or suspicious SVG uploads. Implement Content Security Policy (CSP) headers to limit script execution contexts and reduce XSS impact. Regularly audit and monitor logs for suspicious upload activity and user behavior. Finally, coordinate with SESAME LABS, S.L for official patches or updates and apply them promptly once available.