CVE-2025-47442 is a security vulnerability classified under CWE-79, which corresponds to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). Specifically, this vulnerability affects the CC BMI Calculator product, versions up to 2.1.0. The nature of the vulnerability is a Stored XSS, meaning that malicious input submitted by an attacker is persistently stored by the application and later rendered in web pages without proper sanitization or encoding. This allows an attacker to inject malicious scripts that execute in the browsers of users who view the affected pages. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requires privileges (PR:L) and user interaction (UI:R), and impacts confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component. Stored XSS vulnerabilities can lead to session hijacking, credential theft, defacement, or distribution of malware. Although no known exploits are reported in the wild yet, the presence of this vulnerability in a web-facing application that calculates BMI (Body Mass Index) suggests that user input fields are not properly sanitized before being stored and rendered. The lack of available patches at the time of publication increases the risk for organizations using this product. The vulnerability was published on May 7, 2025, and is tracked by Patchstack and CISA enrichment, indicating recognition by security authorities.

For European organizations, the impact of this Stored XSS vulnerability in the CC BMI Calculator can be significant, especially if the application is integrated into healthcare, wellness, or employee health monitoring portals. Exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to theft of sensitive personal health information, session tokens, or credentials. This can result in privacy violations under GDPR, leading to regulatory fines and reputational damage. Furthermore, attackers could use the vulnerability to deliver malware or redirect users to malicious sites, increasing the risk of broader compromise. The scope change in the CVSS vector suggests that the vulnerability could affect multiple components or systems interconnected with the BMI Calculator, amplifying the potential damage. Given the medium severity and requirement for some privileges and user interaction, the threat is moderate but should not be underestimated, particularly in sectors handling sensitive data. The absence of known exploits currently provides a window for mitigation before widespread attacks occur.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately audit and sanitize all user inputs in the CC BMI Calculator, employing robust server-side input validation and output encoding techniques to neutralize malicious scripts. 2) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Restrict privileges required to access the vulnerable functionality, minimizing the number of users who can input data that is stored and rendered. 4) Monitor web application logs for suspicious input patterns indicative of attempted XSS exploitation. 5) Engage with the vendor (CC) to obtain patches or updates as soon as they become available; if no patches exist, consider temporary removal or isolation of the vulnerable component. 6) Educate users about the risks of interacting with untrusted content and encourage cautious behavior when clicking links or submitting data. 7) Conduct regular security assessments and penetration testing focused on XSS and related injection vulnerabilities. These steps go beyond generic advice by emphasizing privilege restriction, CSP implementation, and proactive monitoring tailored to the specific product and vulnerability context.