CVE-2025-51531 is a reflected cross-site scripting (XSS) vulnerability identified in Sage DPW versions 2024_12_004 and earlier. This vulnerability allows an attacker to inject arbitrary JavaScript code into the victim's browser by crafting a malicious payload targeting the 'tabfields' parameter in the endpoint /dpw/scripts/cgiip.exe/WService. When a victim accesses a URL containing this payload, the injected script executes in the context of the victim's browser session. This can lead to theft of sensitive information such as session cookies, user credentials, or other data accessible via the browser, as well as potential redirection to malicious sites or execution of further attacks. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. The vendor has addressed this issue in the 2025_06_000 release, made available in June 2025. The CVSS v3.1 base score is 6.1, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack can be performed remotely over the network without privileges, requires user interaction (victim must click a crafted link), and impacts confidentiality and integrity with a scope change, but does not affect availability. No known exploits are currently reported in the wild, but the vulnerability remains a risk until patched.

For European organizations using Sage DPW software, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized disclosure of sensitive information such as authentication tokens or personal data, potentially violating GDPR requirements. Attackers could leverage this to hijack user sessions or perform phishing attacks by injecting malicious scripts that mimic legitimate interfaces. This could undermine trust in affected services and lead to reputational damage. Since the vulnerability requires user interaction, the risk is somewhat mitigated by user awareness, but targeted spear-phishing campaigns could still be effective. The scope change in the CVSS vector indicates that exploitation could affect resources beyond the initially vulnerable component, potentially impacting multiple users or systems within an organization. Given the widespread use of Sage products in finance, accounting, and enterprise resource planning across Europe, the impact could be significant if not addressed promptly.

European organizations should immediately verify their Sage DPW software version and prioritize upgrading to version 2025_06_000 or later, where the vulnerability is fixed. Until patching is complete, organizations should implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads targeting the 'tabfields' parameter. Security teams should conduct user awareness training focused on the risks of clicking unknown or suspicious links, especially those related to internal applications. Additionally, organizations should review and tighten Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regular monitoring of web server logs for unusual query parameters or repeated attempts to exploit this endpoint can help detect potential attacks. Finally, ensure that multi-factor authentication (MFA) is enabled for all user accounts to reduce the impact of session hijacking attempts.