CVE-2025-48291: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Wasiliy Strecker / ContestGallery developer Contest Gallery
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery allows Stored XSS. This issue affects Contest Gallery: from n/a through 26.0.6.
AI Analysis
Technical Summary
CVE-2025-48291 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the Contest Gallery software developed by Wasiliy Strecker. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before rendering it in web pages, allowing an attacker to inject malicious scripts that are persistently stored and executed in the context of other users' browsers. The vulnerability affects versions of Contest Gallery up to 26.0.6, with no lower bound version specified. The CVSS 3.1 base score is 7.1, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that exploitation can affect components beyond the vulnerable component. The impact includes low confidentiality, integrity, and availability impacts individually, but combined they represent a significant risk. Stored XSS can lead to session hijacking, credential theft, unauthorized actions on behalf of users, and potential pivoting within the affected environment. No known exploits are currently reported in the wild, and no patches or mitigation links are provided in the data. The vulnerability was reserved in May 2025 and published in July 2025, indicating recent discovery and disclosure.
Potential Impact
For European organizations using Contest Gallery, this vulnerability poses a significant risk to web application security and user trust. Stored XSS can enable attackers to execute arbitrary JavaScript in the browsers of legitimate users, potentially leading to theft of session cookies, user credentials, and sensitive data. This can facilitate unauthorized access to internal systems or user accounts, data manipulation, and further exploitation. Given the collaborative nature of Contest Gallery, often used for managing and displaying contest or event-related content, attackers could deface content or inject malicious payloads that spread through trusted user interactions. The impact extends to compliance risks under GDPR, as exploitation could lead to unauthorized disclosure of personal data. Additionally, reputational damage and operational disruption could arise if attackers leverage this vulnerability to conduct phishing or social engineering campaigns targeting European users. The requirement for user interaction means phishing or social engineering may be used to trigger the exploit, increasing the risk in environments with less security awareness.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Immediately assess usage of Contest Gallery and identify affected versions up to 26.0.6. 2) Monitor vendor communications closely for official patches or updates addressing CVE-2025-48291 and apply them promptly once available. 3) In the interim, implement web application firewall (WAF) rules to detect and block typical XSS payloads targeting Contest Gallery endpoints. 4) Conduct thorough input validation and output encoding on all user-supplied data rendered in web pages, especially in custom integrations or extensions of Contest Gallery. 5) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 6) Educate users about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of successful exploitation requiring user interaction. 7) Regularly audit logs and monitor for anomalous activities indicative of XSS exploitation attempts. 8) Consider isolating or sandboxing Contest Gallery instances to limit potential lateral movement if compromise occurs.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
CVE-2025-48291: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Wasiliy Strecker / ContestGallery developer Contest Gallery
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery allows Stored XSS. This issue affects Contest Gallery: from n/a through 26.0.6.
AI-Powered Analysis
Technical Analysis
CVE-2025-48291 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the Contest Gallery software developed by Wasiliy Strecker. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before rendering it in web pages, allowing an attacker to inject malicious scripts that are persistently stored and executed in the context of other users' browsers. The vulnerability affects versions of Contest Gallery up to 26.0.6, with no lower bound version specified. The CVSS 3.1 base score is 7.1, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that exploitation can affect components beyond the vulnerable component. The impact includes low confidentiality, integrity, and availability impacts individually, but combined they represent a significant risk. Stored XSS can lead to session hijacking, credential theft, unauthorized actions on behalf of users, and potential pivoting within the affected environment. No known exploits are currently reported in the wild, and no patches or mitigation links are provided in the data. The vulnerability was reserved in May 2025 and published in July 2025, indicating recent discovery and disclosure.
Potential Impact
For European organizations using Contest Gallery, this vulnerability poses a significant risk to web application security and user trust. Stored XSS can enable attackers to execute arbitrary JavaScript in the browsers of legitimate users, potentially leading to theft of session cookies, user credentials, and sensitive data. This can facilitate unauthorized access to internal systems or user accounts, data manipulation, and further exploitation. Given the collaborative nature of Contest Gallery, often used for managing and displaying contest or event-related content, attackers could deface content or inject malicious payloads that spread through trusted user interactions. The impact extends to compliance risks under GDPR, as exploitation could lead to unauthorized disclosure of personal data. Additionally, reputational damage and operational disruption could arise if attackers leverage this vulnerability to conduct phishing or social engineering campaigns targeting European users. The requirement for user interaction means phishing or social engineering may be used to trigger the exploit, increasing the risk in environments with less security awareness.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Immediately assess usage of Contest Gallery and identify affected versions up to 26.0.6. 2) Monitor vendor communications closely for official patches or updates addressing CVE-2025-48291 and apply them promptly once available. 3) In the interim, implement web application firewall (WAF) rules to detect and block typical XSS payloads targeting Contest Gallery endpoints. 4) Conduct thorough input validation and output encoding on all user-supplied data rendered in web pages, especially in custom integrations or extensions of Contest Gallery. 5) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 6) Educate users about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of successful exploitation requiring user interaction. 7) Regularly audit logs and monitor for anomalous activities indicative of XSS exploitation attempts. 8) Consider isolating or sandboxing Contest Gallery instances to limit potential lateral movement if compromise occurs.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-05-19T14:13:37.939Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68779109a83201eaacda5899
Added to database: 7/16/2025, 11:46:17 AM
Last enriched: 7/16/2025, 12:05:53 PM
Last updated: 8/10/2025, 4:10:17 PM
Views: 12
Related Threats
CVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumPlex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.