CVE-2025-48113 is a Stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the Broadstreet advertising platform up to version 1.51.8. This vulnerability arises from improper neutralization of input during web page generation, allowing malicious scripts to be injected and stored within the application. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability requires low attack complexity (AC:L), but does require privileges (PR:L) and user interaction (UI:R) to exploit. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The CVSS score of 6.5 (medium severity) reflects the combined impact on confidentiality, integrity, and availability, each rated as low impact individually but collectively significant. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is network exploitable and can be leveraged remotely by authenticated users who can inject malicious input that is then stored and served to other users, making it a persistent threat vector within affected Broadstreet deployments.

For European organizations using Broadstreet for digital advertising and content delivery, this vulnerability poses a risk of client-side attacks that can compromise user data and trust. Stored XSS can lead to theft of session cookies or credentials of site administrators or end-users, enabling further unauthorized access or privilege escalation. It can also facilitate phishing campaigns or malware distribution through compromised web pages. The impact on confidentiality, integrity, and availability, while individually moderate, can cumulatively disrupt business operations, damage brand reputation, and lead to regulatory non-compliance under GDPR if personal data is exposed. Given the interconnected nature of advertising platforms, exploitation could also affect third-party partners and advertisers. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with multiple users or weak access controls.

Organizations should prioritize applying any forthcoming patches or updates from Broadstreet as soon as they become available. In the interim, implement strict input validation and output encoding on all user-supplied data within the Broadstreet platform to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Review and tighten user privilege assignments to minimize the number of users with write or administrative access to the platform. Conduct regular security audits and penetration testing focused on XSS vectors within the advertising content and administrative interfaces. Additionally, monitor logs for unusual input patterns or script injections and educate users about the risks of interacting with suspicious content. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting Broadstreet components.