CVE-2025-53280 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the AntoineH Football Pool application up to version 2.12.5. Stored XSS occurs when malicious input is improperly neutralized and then stored by the application, later being served to users without adequate sanitization or encoding. This vulnerability allows an attacker with at least low privileges (PR:L) and requiring user interaction (UI:R) to inject malicious scripts into web pages generated by the Football Pool application. When other users view these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, defacement, or further exploitation of the victim's browser environment. The CVSS v3.1 base score is 6.5 (medium severity), reflecting a network attack vector (AV:N), low attack complexity (AC:L), partial confidentiality, integrity, and availability impacts (C:L/I:L/A:L), and scope change (S:C), meaning the vulnerability affects components beyond the initially vulnerable component. No known exploits are reported in the wild, and no patches have been linked yet. The vulnerability is significant because the Football Pool application is used to manage football-related betting or prediction pools, which may contain user data and interactive features, increasing the risk of exploitation and user impact.

For European organizations using AntoineH Football Pool, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to user sessions, data leakage, or manipulation of pool results, undermining trust and potentially violating data protection regulations such as GDPR. The scope change indicates that exploitation could affect multiple components or user roles, increasing the attack surface. Organizations relying on this software for internal or public-facing services may face reputational damage, user data compromise, and operational disruptions. Since the vulnerability requires some level of user interaction and privileges, insider threats or compromised user accounts could facilitate exploitation. Additionally, if the application is integrated with other systems or handles payment or personal data, the impact could extend beyond the application itself, affecting confidentiality, integrity, and availability of critical services.

European organizations should immediately review their use of AntoineH Football Pool and assess exposure. Specific mitigations include: 1) Implement strict input validation and output encoding on all user-supplied data fields to neutralize malicious scripts before storage and rendering. 2) Apply Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. 3) Enforce the principle of least privilege to limit user permissions, reducing the risk of low-privilege users injecting malicious content. 4) Monitor application logs and user activity for unusual behavior indicative of XSS exploitation attempts. 5) If possible, isolate the Football Pool application environment to limit lateral movement in case of compromise. 6) Engage with the vendor or community to obtain patches or updates as soon as they become available, and apply them promptly. 7) Educate users about the risks of interacting with suspicious links or content within the application. 8) Conduct regular security assessments and penetration tests focusing on web application vulnerabilities, including XSS.