CVE-2025-49450 is a Stored Cross-site Scripting (XSS) vulnerability identified in the mhallmann SEPA Girocode software, affecting versions up to 0.5.1. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. This flaw allows an attacker with at least low privileges and requiring user interaction to inject malicious scripts that are stored and later executed in the context of other users viewing the affected web pages. The CVSS 3.1 base score of 6.5 reflects a medium severity, with an attack vector of network (remote exploitation), low attack complexity, requiring privileges, and user interaction. The vulnerability impacts confidentiality, integrity, and availability, with a scope change indicating that the vulnerability can affect components beyond the initially vulnerable component. Although no known exploits are currently reported in the wild and no patches have been linked yet, the presence of stored XSS in a financial-related application like SEPA Girocode is concerning. SEPA Girocode is used to generate standardized QR codes for SEPA payments, facilitating payment initiation in European banking systems. Exploitation could lead to session hijacking, credential theft, or manipulation of payment information, potentially enabling fraudulent transactions or unauthorized access to sensitive financial data.

For European organizations, especially financial institutions, payment service providers, and businesses relying on SEPA Girocode for payment processing, this vulnerability poses a significant risk. Exploitation could compromise user sessions, leading to unauthorized access to payment details or manipulation of payment instructions. This could result in financial fraud, reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and operational disruptions. Given the critical role of SEPA payments in the European Single Market, any compromise could have cascading effects on trust and transaction integrity. Organizations using SEPA Girocode in customer-facing portals or internal tools are particularly at risk, as stored XSS can affect multiple users and persist over time. The medium severity suggests that while exploitation requires some privileges and user interaction, the potential impact on confidentiality, integrity, and availability of payment data is non-trivial.

1. Immediate mitigation should include input validation and output encoding to neutralize malicious scripts before rendering user-supplied data in web pages. Employ context-aware encoding (e.g., HTML entity encoding) to prevent script execution. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Conduct thorough code reviews and security testing focusing on all input points that generate web content, especially those related to payment data. 4. Restrict privileges to the minimum necessary to reduce the attack surface, ensuring that only trusted users can input data that is rendered in web pages. 5. Monitor web application logs for suspicious input patterns or unusual user activity that could indicate exploitation attempts. 6. Once available, promptly apply official patches or updates from the vendor. 7. Educate users about the risks of interacting with untrusted links or content within the application to reduce the likelihood of successful exploitation requiring user interaction.