CVE-2025-5378 is a cross-site scripting (XSS) vulnerability identified in Astun Technology's iShare Maps version 5.4.0. The vulnerability arises from improper sanitization of the 'atTxtStreet' parameter within the 'mycouncil2.aspx' file. An attacker can remotely inject malicious scripts through this parameter, which are then executed in the context of the victim's browser. This type of vulnerability enables attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability is classified as 'problematic' with a CVSS 4.0 base score of 5.3, indicating a medium severity level. The attack vector is network-based (AV:N), requiring no privileges (PR:N) and no authentication (AT:N), but user interaction is necessary (UI:P) for exploitation. The impact on confidentiality is none, integrity is low, and availability is none, suggesting the primary risk is to user trust and session security rather than system compromise. The vendor has not responded to the disclosure, and no patches or mitigations have been officially released. Although no known exploits are currently in the wild, the public disclosure of the vulnerability increases the risk of exploitation by threat actors.

For European organizations using Astun Technology's iShare Maps 5.4.0, this XSS vulnerability poses a risk primarily to web application users, including employees, partners, or citizens accessing public services via the affected platform. Exploitation could lead to theft of session cookies, enabling attackers to impersonate legitimate users, potentially accessing sensitive geographic or council-related data. It could also facilitate phishing attacks by injecting malicious content into trusted web pages, undermining user confidence and potentially causing reputational damage. While the vulnerability does not directly compromise backend systems or data integrity at a high level, the indirect effects on confidentiality and trust can be significant, especially for public sector organizations or municipalities relying on iShare Maps for service delivery. Additionally, the lack of vendor response and patch availability increases the window of exposure, necessitating immediate mitigation efforts by affected organizations.

Given the absence of an official patch, European organizations should implement several targeted mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'atTxtStreet' parameter. 2) Conduct input validation and output encoding at the application level if source code access is available, sanitizing all user-supplied inputs to prevent script injection. 3) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Educate users about the risks of interacting with suspicious links or inputs within the iShare Maps interface. 5) Monitor web server logs for unusual or suspicious requests targeting the vulnerable parameter to identify potential exploitation attempts. 6) Consider isolating or restricting access to the affected application until a vendor patch is released. 7) Engage with Astun Technology or community forums to seek updates or unofficial patches. These measures, combined, can reduce the risk of successful exploitation while awaiting an official fix.