CVE-2025-45002 is a Cross Site Scripting (XSS) vulnerability affecting Vigybag version 1.0 and earlier. The vulnerability exists in the upload profile picture functionality under the 'my profile' section of the application. An attacker with at least limited privileges (PR:L) and requiring user interaction (UI:R) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L). The vulnerability allows injection of malicious scripts due to improper sanitization or validation of user-supplied input when uploading profile pictures. This can lead to a reflected or stored XSS attack, where malicious JavaScript code executes in the context of other users' browsers. The CVSS v3.1 base score is 5.4, indicating a medium severity. The impact includes limited confidentiality and integrity loss, as attackers may steal session tokens, perform actions on behalf of users, or manipulate displayed content. Availability is not affected. The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, potentially impacting other users. No known exploits are currently in the wild, and no patches or vendor information are provided. The vulnerability is categorized under CWE-79, which is the standard classification for XSS issues.

For European organizations using Vigybag v1.0 or earlier, this vulnerability poses a moderate risk. Exploitation could allow attackers to hijack user sessions, steal sensitive information, or perform unauthorized actions within the application, potentially leading to data breaches or reputational damage. Since the vulnerability requires user interaction, phishing or social engineering could be used to lure users into triggering the malicious payload. The impact is particularly significant for organizations handling personal or sensitive data, such as financial institutions, healthcare providers, or government agencies. Additionally, the scope change indicates that the vulnerability could affect multiple users or components, increasing the risk of widespread compromise within an organization. While availability is not impacted, the confidentiality and integrity concerns warrant attention, especially under the GDPR framework, where data protection and breach notification requirements are stringent.

Organizations should implement strict input validation and sanitization on the profile picture upload functionality to prevent injection of malicious scripts. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Since no official patches are currently available, organizations should consider temporary workarounds such as disabling the profile picture upload feature or restricting it to trusted users only. User education on recognizing phishing attempts and suspicious links is critical to reduce the risk of user interaction exploitation. Regular security testing, including automated scanning and manual code reviews focusing on input handling, should be conducted. Monitoring application logs for unusual activity related to profile updates can help detect attempted exploitation. Finally, organizations should stay alert for vendor updates or patches and apply them promptly once released.