CVE-2025-50927 is a reflected cross-site scripting (XSS) vulnerability identified in the List All FTP User function of EHCP version 20.04.1.b. This vulnerability arises due to insufficient input sanitization of the 'ftpusername' parameter, which allows an authenticated attacker to inject and execute arbitrary JavaScript code within the context of the vulnerable web application. Reflected XSS occurs when malicious scripts are reflected off a web server, such as in error messages or search results, and executed in the victim's browser. In this case, the attacker must be authenticated to the EHCP system, which is a web hosting control panel commonly used to manage FTP users and other hosting services. The vulnerability's CVSS v3.1 base score is 6.3, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network without privileges (PR:N), requires user interaction (UI:R), and impacts confidentiality, integrity, and availability to a limited extent (L). The scope remains unchanged (S:U). Although no known exploits are reported in the wild yet, the vulnerability represents a credible risk because attackers with valid credentials can leverage it to execute malicious scripts, potentially leading to session hijacking, credential theft, or further exploitation of the hosting environment. The lack of available patches at the time of publication increases the urgency for mitigation. The CWE-79 classification confirms this is a classic XSS issue related to improper neutralization of input during web page generation.

For European organizations using EHCP v20.04.1.b, this vulnerability poses a moderate security risk. Since EHCP is a web hosting control panel, it is often deployed by small to medium hosting providers and enterprises managing their own FTP users. Exploitation could allow attackers to execute malicious scripts in the context of authenticated users, potentially leading to theft of session cookies, unauthorized actions within the control panel, or pivoting to other internal systems. This could compromise the confidentiality and integrity of hosted websites and user data. Given the medium CVSS score, the impact on availability is limited but possible if attackers inject scripts that disrupt normal operations. The requirement for authentication limits the attack surface to insiders or users with compromised credentials, but social engineering or phishing could facilitate this. European organizations with regulatory obligations under GDPR must consider the risk of data breaches resulting from such attacks, which could lead to legal and reputational consequences. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

1. Immediate mitigation should include restricting access to the EHCP control panel to trusted users and networks, employing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Implement web application firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting the 'ftpusername' parameter. 3. Sanitize and validate all user inputs rigorously on the server side, ensuring that special characters are properly escaped or removed before rendering in the web interface. 4. Monitor logs for unusual activity related to the FTP user listing function, especially requests containing suspicious script tags or encoded payloads. 5. Since no official patch is currently available, organizations should consider temporary workarounds such as disabling the vulnerable functionality if feasible or isolating the EHCP server from critical network segments. 6. Stay updated with EHCP vendor announcements for patches or updates addressing this vulnerability and apply them promptly once released. 7. Conduct security awareness training for users with access to the control panel to recognize phishing attempts that could lead to credential theft.