CVE-2025-5177 is a cross-site scripting (XSS) vulnerability identified in the Realce Tecnologia Queue Ticket Kiosk product, specifically affecting versions up to 20250517. The vulnerability resides in the Admin Login Page component, within the /adm/index.php file. It arises due to improper sanitization or validation of the 'Usuário' parameter, which can be manipulated by an attacker to inject malicious scripts. This vulnerability is remotely exploitable without requiring authentication, and user interaction is needed to trigger the attack (e.g., an administrator or user clicking a crafted link). The CVSS 4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required. The impact primarily affects the integrity of the user interface and potentially the confidentiality of session-related data, as the injected scripts can execute in the context of the victim's browser. The vendor was contacted but did not respond, and no patches or mitigations have been published yet. No known exploits are currently in the wild. This vulnerability could be leveraged to steal session cookies, perform phishing, or conduct further attacks within the administrative interface of the Queue Ticket Kiosk system.

For European organizations using the Realce Tecnologia Queue Ticket Kiosk, this vulnerability poses a risk mainly to administrative users who access the kiosk's backend login page. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed under the guise of legitimate administrators. This could disrupt queue management services, potentially impacting customer service operations in sectors such as healthcare, government offices, or retail environments where such kiosks are deployed. The confidentiality and integrity of administrative sessions are at risk, which could cascade into broader operational disruptions if attackers gain control over the system. Since the vulnerability requires user interaction, phishing campaigns targeting administrative staff could be an effective attack vector. The lack of vendor response and patches increases the risk exposure for organizations relying on this product in Europe.

1. Implement strict input validation and output encoding on the 'Usuário' parameter in the /adm/index.php page to neutralize malicious scripts. 2. Deploy web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the affected endpoint. 3. Restrict access to the administrative interface by IP whitelisting or VPN-only access to reduce exposure. 4. Educate administrative users about phishing risks and the importance of not clicking suspicious links. 5. Monitor logs for unusual activity or repeated attempts to exploit the 'Usuário' parameter. 6. If possible, isolate the Queue Ticket Kiosk administrative interface from the public internet. 7. Engage with Realce Tecnologia for patch availability or consider alternative queue management solutions if remediation is delayed. 8. Apply Content Security Policy (CSP) headers to limit script execution sources on the admin pages.