Skip to main content

CVE-2025-50012: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in fridaysystems Inventory Presser

Medium
VulnerabilityCVE-2025-50012cvecve-2025-50012cwe-79
Published: Fri Jun 20 2025 (06/20/2025, 15:04:02 UTC)
Source: CVE Database V5
Vendor/Project: fridaysystems
Product: Inventory Presser

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fridaysystems Inventory Presser allows Stored XSS. This issue affects Inventory Presser: from n/a through 15.0.0.

AI-Powered Analysis

AILast updated: 06/21/2025, 11:53:09 UTC

Technical Analysis

CVE-2025-50012 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the fridaysystems Inventory Presser product up to version 15.0.0. This vulnerability arises from improper neutralization of input during web page generation, allowing malicious scripts to be stored on the server and subsequently executed in the browsers of users who access the affected pages. The vulnerability has a CVSS 3.1 base score of 5.9, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), but requires the attacker to have high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is low to medium (C:L/I:L/A:L), reflecting limited but non-negligible consequences. Stored XSS vulnerabilities can enable attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. Since no patches are currently linked, the vulnerability remains unmitigated in official releases. No known exploits are reported in the wild as of the publication date (June 20, 2025). The vulnerability specifically targets the Inventory Presser product, which is used for inventory management and related business processes, likely involving sensitive operational data and user credentials. The requirement for high privileges to exploit suggests that attackers must already have some level of access to the system, possibly through compromised accounts or insider threats. User interaction is also necessary, implying that social engineering or phishing may be involved in triggering the exploit. The changed scope indicates that the impact can extend beyond the immediate vulnerable component, potentially affecting other parts of the application or connected systems.

Potential Impact

For European organizations using fridaysystems Inventory Presser, this vulnerability poses a moderate risk. Given the medium CVSS score and the need for high privileges and user interaction, the threat is more relevant in environments where internal users or administrators might be targeted or compromised. Successful exploitation could lead to unauthorized actions within the inventory management system, data leakage, or manipulation of inventory records, which can disrupt supply chain operations and financial reporting. The stored XSS could also be leveraged to pivot attacks within the corporate network, especially if the Inventory Presser interfaces with other critical systems. In sectors such as manufacturing, retail, and logistics—where inventory management is critical—this vulnerability could impact operational continuity and data integrity. Additionally, the cross-site scripting nature of the vulnerability could expose users to phishing or malware delivery through the compromised application interface. While no active exploits are known, the presence of this vulnerability increases the attack surface and could be exploited by insider threats or advanced persistent threat (APT) actors targeting European enterprises with strategic supply chain interests.

Mitigation Recommendations

1. Implement strict input validation and output encoding on all user-supplied data within Inventory Presser, especially in areas where data is stored and later rendered in web pages. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 3. Enforce the principle of least privilege by reviewing and limiting high-privilege user accounts to reduce the risk of exploitation requiring elevated access. 4. Conduct regular security awareness training focused on phishing and social engineering to minimize successful user interaction required for exploitation. 5. Monitor application logs and user activity for unusual behavior indicative of attempted exploitation or privilege misuse. 6. If possible, isolate Inventory Presser instances within segmented network zones to limit lateral movement in case of compromise. 7. Engage with fridaysystems for timely patches or updates; if unavailable, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting Inventory Presser. 8. Perform periodic security assessments and penetration testing focusing on XSS and privilege escalation vectors within the Inventory Presser environment.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-06-11T16:08:11.573Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68568e85aded773421b5aa61

Added to database: 6/21/2025, 10:50:45 AM

Last enriched: 6/21/2025, 11:53:09 AM

Last updated: 8/15/2025, 11:09:46 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats