CVE-2025-4951 is a stored cross-site scripting (XSS) vulnerability identified in Rapid7 AppSpider Pro versions prior to 7.5.018. The vulnerability arises from improper neutralization of input during web page generation, specifically in the "ScanName" field. Although the application attempts to prevent the inclusion of special characters in this field, an attacker can bypass these restrictions by directly modifying the configuration file, thereby injecting malicious scripts. This stored XSS flaw allows an attacker with limited privileges (requiring some level of authentication) to inject and persist malicious JavaScript code that executes in the context of other users viewing the affected interface. The vulnerability has a CVSS 3.1 base score of 4.6, indicating a medium severity level. The attack vector is local (AV:L), requiring low attack complexity (AC:L), privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent, with no impact on availability. No known exploits are currently reported in the wild. The issue is resolved in version 7.5.018 of AppSpider Pro. This vulnerability is categorized under CWE-79, which relates to improper neutralization of input leading to XSS attacks.

For European organizations using Rapid7 AppSpider Pro versions below 7.5.018, this vulnerability poses a risk of stored XSS attacks that could lead to unauthorized script execution within the application’s user interface. Potential impacts include theft of session tokens, unauthorized actions performed on behalf of legitimate users, and exposure of sensitive information accessible through the application. Since AppSpider Pro is a security testing tool often used by security teams, compromise could undermine trust in vulnerability assessments or lead to leakage of sensitive scan data. The requirement for local access and authentication limits the attack surface primarily to internal users or attackers who have gained some foothold within the network. However, the changed scope means that the impact could extend beyond the immediate component, potentially affecting other integrated systems or users. European organizations with strict data protection regulations (e.g., GDPR) must consider the confidentiality implications of such an attack, especially if sensitive data is exposed or manipulated. The medium severity rating suggests that while the vulnerability is not critical, it should be addressed promptly to prevent exploitation, especially in environments with multiple users or where AppSpider Pro is exposed to a broader user base.

1. Immediate upgrade to Rapid7 AppSpider Pro version 7.5.018 or later, where the vulnerability is fixed, is the most effective mitigation. 2. Restrict access to the configuration files and ensure that only authorized administrators have write permissions to prevent direct modification that could bypass input validation. 3. Implement strict access controls and monitoring on the AppSpider Pro environment to detect any unauthorized changes to configuration files or suspicious user activity. 4. Employ Content Security Policy (CSP) headers and other browser-based mitigations to reduce the impact of potential XSS payloads. 5. Conduct regular security audits and code reviews of custom configurations or integrations with AppSpider Pro to identify and remediate any injection points. 6. Educate users and administrators about the risks of stored XSS and the importance of following secure configuration management practices. 7. If upgrading immediately is not feasible, consider isolating the AppSpider Pro instance from broader network access and limit user privileges to reduce the attack surface.