CVE-2025-46509 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Andrey Mikhalchuk 360 View product up to version 1.1.0. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be stored and subsequently executed in the context of users accessing the affected application. Stored XSS occurs when an attacker injects malicious code that is permanently stored on the target server, such as in a database, message forum, or comment field, and later served to users without proper sanitization or encoding. When victims load the compromised page, the malicious script executes within their browsers, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of the user, or distribution of malware. The vulnerability is present because the application fails to adequately sanitize or encode user-supplied input before rendering it in web pages. No patches or fixes have been published yet, and there are no known exploits in the wild at this time. The vulnerability was publicly disclosed on April 24, 2025, and has been enriched with CISA data, indicating recognition by US cybersecurity authorities. The lack of a CVSS score necessitates an independent severity assessment based on the nature of the vulnerability and its potential impact.

For European organizations using the 360 View product, this Stored XSS vulnerability poses significant risks to confidentiality, integrity, and availability of web applications and user data. Exploitation could lead to unauthorized access to sensitive information, including user credentials and session tokens, enabling attackers to impersonate legitimate users or escalate privileges. This can result in data breaches, unauthorized transactions, or manipulation of application data. Additionally, attackers could leverage the vulnerability to deliver malware or conduct phishing attacks targeting employees or customers. The impact extends beyond individual users to organizational reputation and compliance, especially under GDPR regulations, where data breaches involving personal data can lead to substantial fines and legal consequences. Although no known exploits exist currently, the presence of stored XSS vulnerabilities often attracts attackers due to their persistence and potential for widespread impact. The medium severity rating suggests moderate risk, but the actual impact depends on the deployment context, user base, and sensitivity of the data handled by the affected application.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, apply rigorous input validation and output encoding on all user-supplied data rendered by the 360 View application, using context-appropriate encoding (e.g., HTML entity encoding) to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Conduct thorough code reviews and penetration testing focused on input handling and stored data rendering. Where feasible, isolate the 360 View application within segmented network zones to limit lateral movement in case of compromise. Educate users about phishing and suspicious links, as XSS can be a vector for social engineering. Monitor web application logs for unusual input patterns or error messages indicative of attempted exploitation. Finally, maintain close communication with the vendor for updates or patches and plan for timely application once available.