CVE-2025-45662 is a cross-site scripting (XSS) vulnerability identified in the /master/login.php component of the mpgram-web application. This vulnerability allows attackers to inject and execute arbitrary JavaScript code within the context of a user's browser session by crafting a malicious payload that is processed by the vulnerable login page. The vulnerability is classified under CWE-79, which corresponds to improper neutralization of input during web page generation, leading to XSS attacks. The CVSS v3.1 base score is 6.1, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reveals that the attack can be launched remotely over the network without any privileges, requires low attack complexity, no privileges, but does require user interaction (the victim must interact with the malicious payload). The scope is changed, meaning the vulnerability affects resources beyond the vulnerable component, and it impacts confidentiality and integrity to a limited extent, but does not affect availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could be exploited to steal user session tokens, perform actions on behalf of users, or redirect users to malicious sites, potentially leading to further compromise or data leakage.

For European organizations using mpgram-web, this XSS vulnerability poses a risk primarily to the confidentiality and integrity of user data. Attackers could leverage this flaw to hijack user sessions, steal sensitive information such as login credentials or personal data, and perform unauthorized actions within the application. This is particularly concerning for organizations handling sensitive or regulated data under GDPR, as exploitation could lead to data breaches and regulatory penalties. The requirement for user interaction means phishing or social engineering tactics could be used to trick users into triggering the exploit. While availability is not directly impacted, the reputational damage and potential compliance violations could have significant operational and financial consequences. Organizations with web-facing mpgram-web login portals are at risk, especially if users have elevated privileges or access to critical systems. The scope change in the CVSS vector suggests that the vulnerability could affect other components or data beyond the login page, increasing the potential impact.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately review and sanitize all user inputs on the /master/login.php page, employing context-aware output encoding to prevent script injection. 2) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Educate users about phishing and social engineering risks to reduce the likelihood of user interaction with malicious payloads. 4) Monitor web application logs for suspicious input patterns or repeated failed login attempts that may indicate exploitation attempts. 5) If possible, isolate the login component behind additional security layers such as Web Application Firewalls (WAFs) configured to detect and block XSS payloads. 6) Coordinate with the mpgram-web vendor or development team to obtain or develop patches addressing this vulnerability and apply them promptly once available. 7) Conduct regular security assessments and penetration testing focused on XSS and input validation weaknesses in the application. 8) Consider implementing multi-factor authentication (MFA) to reduce the impact of credential theft resulting from XSS exploitation.