CVE-2025-41084 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting all versions of the Sesame web application developed by SESAME LABS S.L. The vulnerability stems from improper neutralization of input during web page generation, specifically when handling uploaded SVG images. Attackers can exploit this by sending a specially crafted POST request to the '/api/v3/companies/<ID>/logo' endpoint, using the 'logo' parameter to upload an SVG file containing embedded malicious JavaScript. Because the application fails to sanitize or validate the SVG content properly, the malicious script is stored on the server and executed whenever any user accesses the affected resource, such as viewing the company logo. This stored XSS can lead to session hijacking, credential theft, unauthorized actions performed on behalf of the user, or further exploitation of the victim's browser environment. The vulnerability requires no authentication (PR:L means low privileges) but does require user interaction (UI:P) to trigger the malicious script. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, partial user interaction, and limited scope impact. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and assigned a medium severity rating with a CVSS score of 5.1. The vulnerability's presence in all versions of Sesame indicates a systemic issue in input sanitization for SVG uploads.

For European organizations using the Sesame web application, this vulnerability poses a moderate risk. Exploitation could allow attackers to execute arbitrary scripts in the context of users accessing the compromised resource, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions within the application. This can undermine user trust, lead to data breaches, and cause reputational damage. Since Sesame is used for company-related data, attackers might leverage this to gain further footholds or pivot to other systems. The medium severity reflects the fact that exploitation requires some user interaction and low privilege access, limiting the attack surface somewhat. However, the widespread impact on confidentiality and integrity of user sessions and data is significant. European organizations with public-facing Sesame instances or those that allow multiple users to upload logos are particularly at risk. The lack of current patches means organizations must rely on mitigations until an official fix is released.

Organizations should immediately implement strict input validation and sanitization for SVG uploads, ideally disallowing SVG files or using a secure SVG sanitizer that removes scripts and potentially dangerous elements. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of any injected scripts. Limit the ability to upload logos or images to trusted users only and monitor upload endpoints for suspicious activity. Conduct regular security reviews and penetration testing focused on file upload functionalities. If possible, isolate the logo display context to prevent script execution or use sandboxed iframes. Keep the Sesame application updated and monitor SESAME LABS S.L communications for patches addressing this vulnerability. Additionally, educate users about the risks of interacting with untrusted content and implement multi-factor authentication to reduce the impact of session hijacking.