CVE-2025-46450 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the x000x occupancyplan software, affecting versions up to and including 1.0.3.0. The vulnerability allows an attacker to perform unauthorized actions on behalf of an authenticated user without their consent. Specifically, this CSRF flaw enables Stored Cross-Site Scripting (Stored XSS) attacks, where malicious scripts can be permanently injected into the application and executed in the context of other users' browsers. The combination of CSRF and Stored XSS significantly increases the attack surface, as CSRF can be used to trick authenticated users into submitting malicious requests that store XSS payloads. Once stored, these payloads can execute whenever a victim accesses the affected page, potentially leading to session hijacking, credential theft, or further exploitation of the victim's browser environment. The vulnerability affects occupancyplan, a product by x000x, which is used for occupancy planning and management. The lack of a patch or mitigation link at the time of disclosure indicates that the vendor has not yet released an official fix. No known exploits are currently reported in the wild, but the presence of a CSRF vulnerability combined with Stored XSS is a serious concern due to the ease of exploitation and potential for persistent impact. The vulnerability was reserved and published on April 24, 2025, and has been enriched by CISA, highlighting its relevance in the cybersecurity community. The CWE classification CWE-352 confirms the nature of the vulnerability as a CSRF issue.

For European organizations using x000x occupancyplan, this vulnerability poses a moderate to high risk. The Stored XSS enabled by CSRF can lead to unauthorized actions being performed silently, including data manipulation or leakage, unauthorized configuration changes, or the injection of malicious scripts that compromise user sessions. This can affect confidentiality by exposing sensitive user data, integrity by allowing unauthorized changes to occupancy data or system configurations, and availability if the injected scripts disrupt normal operations. Organizations in sectors such as real estate management, facility management, and corporate real estate services that rely on occupancyplan for space utilization and planning are particularly at risk. The persistent nature of Stored XSS means that once exploited, the vulnerability can affect multiple users over time, increasing the potential damage. Additionally, given the lack of patches, attackers could exploit this vulnerability in targeted phishing or social engineering campaigns to trick users into executing malicious requests. The impact is amplified in environments where occupancyplan is integrated with other internal systems or where users have elevated privileges. The absence of known exploits currently provides a window for proactive mitigation, but the risk remains significant due to the nature of the vulnerability.

Implement strict anti-CSRF tokens in all state-changing requests within occupancyplan to ensure that requests originate from legitimate users and sessions. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of Stored XSS payloads. Conduct thorough input validation and output encoding on all user-supplied data to prevent injection of malicious scripts. Restrict user privileges within occupancyplan to the minimum necessary, reducing the potential impact of a successful exploit. Monitor web application logs for unusual POST requests or patterns indicative of CSRF or XSS exploitation attempts. Educate users on the risks of clicking on suspicious links or performing actions from untrusted sources while authenticated. If possible, isolate occupancyplan instances behind web application firewalls (WAFs) configured to detect and block CSRF and XSS attack patterns. Engage with the vendor (x000x) for timely updates and patches, and consider temporary compensating controls such as disabling vulnerable features or restricting access until a fix is available.