CVE-2025-5179 is a cross-site scripting (XSS) vulnerability identified in the Realce Tecnologia Queue Ticket Kiosk software, specifically affecting versions up to 20250517. The vulnerability resides in the /adm/index.php file within the Cadastro de Administrador (Administrator Registration) page. The flaw arises from improper sanitization or validation of the 'Name/Usuário' parameter, which allows an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring prior authentication, although the CVSS vector indicates a requirement for high privileges (PR:H) and user interaction (UI:P), suggesting that exploitation might require an authenticated user to interact with a crafted input. The CVSS 4.0 score is 4.8, categorizing it as a medium severity issue. The vulnerability does not impact confidentiality or availability significantly but poses a risk to integrity and user trust by enabling script injection that could lead to session hijacking, defacement, or redirection to malicious sites. The vendor was contacted but did not respond, and no patches or mitigations have been officially released. No known exploits are currently in the wild. The vulnerability is limited to a specific administrative component, which somewhat restricts its attack surface but still represents a notable risk, especially in environments where the Queue Ticket Kiosk is used to manage customer flow or administrative tasks.

For European organizations using the Realce Tecnologia Queue Ticket Kiosk, this vulnerability could lead to unauthorized script execution within the administrative interface, potentially allowing attackers to hijack administrator sessions, manipulate administrative functions, or conduct phishing attacks against staff. This could disrupt service management and erode trust in customer-facing systems. While the vulnerability does not directly compromise data confidentiality or availability, the integrity of administrative operations could be undermined, leading to operational inefficiencies or indirect data exposure. Given that the Queue Ticket Kiosk is likely deployed in public service environments such as healthcare, government offices, or retail sectors, exploitation could impact service delivery and customer experience. The lack of vendor response and absence of patches increases the risk exposure for organizations that have not implemented their own mitigations. Additionally, the requirement for high privileges and user interaction means that insider threats or targeted attacks against administrative users are more plausible scenarios.

European organizations should immediately audit their Queue Ticket Kiosk deployments to identify affected versions (up to 20250517). As no official patch is available, organizations should implement compensating controls such as: 1) Restricting access to the administrative interface via network segmentation and VPNs to limit exposure to trusted personnel only. 2) Enforcing strict input validation and sanitization at the web application firewall (WAF) level to detect and block malicious payloads targeting the 'Name/Usuário' parameter. 3) Enhancing administrator authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of compromised credentials being exploited. 4) Monitoring administrative logs and user activities for unusual behavior indicative of exploitation attempts. 5) Educating administrative users about the risks of interacting with suspicious inputs or links. 6) Considering temporary disabling or restricting the Cadastro de Administrador functionality if feasible until a vendor patch is released. Organizations should also maintain communication channels to monitor for vendor updates or community-developed patches.