CVE-2025-50035 is a Stored Cross-site Scripting (XSS) vulnerability classified under CWE-79 affecting CyrilG's Fyrebox Quizzes product, up to version 3.0. The vulnerability arises from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored and later executed in the context of users accessing the affected quizzes. This Stored XSS flaw means that an attacker can inject malicious JavaScript code into quiz content or input fields, which is then persistently stored on the server and served to other users without adequate sanitization or encoding. When victims load the compromised quiz, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of the user, or distribution of malware. The CVSS 3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R), and a scope change (S:C). The impact affects confidentiality, integrity, and availability at a low level but can be escalated depending on the victim's privileges and the nature of the injected payload. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability requires an attacker to have some level of authenticated access to inject the malicious payload, and the victim must interact with the malicious content for exploitation to succeed. Stored XSS vulnerabilities are particularly dangerous in web applications that have a broad user base or handle sensitive information, as they can be used to compromise multiple users and propagate attacks within an organization or community.

For European organizations using Fyrebox Quizzes, this vulnerability poses a risk of client-side compromise through malicious script execution. Potential impacts include theft of user credentials, session tokens, and personal data, which can lead to unauthorized access to internal systems or sensitive information. The integrity of quiz content and user data can be compromised, undermining trust in the platform. Availability could be affected if attackers use the vulnerability to inject disruptive scripts or malware. Educational institutions, corporate training departments, and marketing teams that rely on Fyrebox Quizzes for interactive content are particularly at risk, as exploitation could lead to data breaches or reputational damage. Given the requirement for some level of authentication and user interaction, the threat is more pronounced in environments where quizzes are shared internally or with trusted users. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting other parts of the web application or user sessions. Although no active exploits are reported, the medium severity and stored nature of the XSS warrant proactive mitigation to prevent exploitation and lateral movement within affected organizations.

1. Implement strict input validation and output encoding on all user-supplied data fields within Fyrebox Quizzes, ensuring that any HTML or script content is properly sanitized before storage and rendering. 2. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 3. Enforce least privilege access controls to limit the ability of users to inject content, especially restricting quiz creation or editing rights to trusted personnel only. 4. Monitor and audit quiz content regularly for suspicious or unexpected script tags or encoded payloads that may indicate attempted exploitation. 5. Educate users about the risks of interacting with untrusted quiz content and encourage reporting of anomalous behavior. 6. Since no official patch is currently available, consider isolating or disabling vulnerable quiz functionalities until a vendor fix is released. 7. Employ web application firewalls (WAF) with rules tuned to detect and block common XSS attack patterns targeting the Fyrebox Quizzes application. 8. Review authentication mechanisms to ensure that privilege escalation is not possible, reducing the risk posed by the requirement of authenticated access for exploitation.