Skip to main content

CVE-2025-48291: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Wasiliy Strecker / ContestGallery developer Contest Gallery

High
VulnerabilityCVE-2025-48291cvecve-2025-48291cwe-79
Published: Wed Jul 16 2025 (07/16/2025, 11:28:02 UTC)
Source: CVE Database V5
Vendor/Project: Wasiliy Strecker / ContestGallery developer
Product: Contest Gallery

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery allows Stored XSS. This issue affects Contest Gallery: from n/a through 26.0.6.

AI-Powered Analysis

AILast updated: 07/16/2025, 12:05:53 UTC

Technical Analysis

CVE-2025-48291 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the Contest Gallery software developed by Wasiliy Strecker. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before rendering it in web pages, allowing an attacker to inject malicious scripts that are persistently stored and executed in the context of other users' browsers. The vulnerability affects versions of Contest Gallery up to 26.0.6, with no lower bound version specified. The CVSS 3.1 base score is 7.1, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that exploitation can affect components beyond the vulnerable component. The impact includes low confidentiality, integrity, and availability impacts individually, but combined they represent a significant risk. Stored XSS can lead to session hijacking, credential theft, unauthorized actions on behalf of users, and potential pivoting within the affected environment. No known exploits are currently reported in the wild, and no patches or mitigation links are provided in the data. The vulnerability was reserved in May 2025 and published in July 2025, indicating recent discovery and disclosure.

Potential Impact

For European organizations using Contest Gallery, this vulnerability poses a significant risk to web application security and user trust. Stored XSS can enable attackers to execute arbitrary JavaScript in the browsers of legitimate users, potentially leading to theft of session cookies, user credentials, and sensitive data. This can facilitate unauthorized access to internal systems or user accounts, data manipulation, and further exploitation. Given the collaborative nature of Contest Gallery, often used for managing and displaying contest or event-related content, attackers could deface content or inject malicious payloads that spread through trusted user interactions. The impact extends to compliance risks under GDPR, as exploitation could lead to unauthorized disclosure of personal data. Additionally, reputational damage and operational disruption could arise if attackers leverage this vulnerability to conduct phishing or social engineering campaigns targeting European users. The requirement for user interaction means phishing or social engineering may be used to trigger the exploit, increasing the risk in environments with less security awareness.

Mitigation Recommendations

European organizations should implement the following specific mitigations: 1) Immediately assess usage of Contest Gallery and identify affected versions up to 26.0.6. 2) Monitor vendor communications closely for official patches or updates addressing CVE-2025-48291 and apply them promptly once available. 3) In the interim, implement web application firewall (WAF) rules to detect and block typical XSS payloads targeting Contest Gallery endpoints. 4) Conduct thorough input validation and output encoding on all user-supplied data rendered in web pages, especially in custom integrations or extensions of Contest Gallery. 5) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 6) Educate users about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of successful exploitation requiring user interaction. 7) Regularly audit logs and monitor for anomalous activities indicative of XSS exploitation attempts. 8) Consider isolating or sandboxing Contest Gallery instances to limit potential lateral movement if compromise occurs.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-05-19T14:13:37.939Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68779109a83201eaacda5899

Added to database: 7/16/2025, 11:46:17 AM

Last enriched: 7/16/2025, 12:05:53 PM

Last updated: 8/15/2025, 2:21:33 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats