CVE-2025-55062 is a Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting Priority Web versions 23.0 and below. The flaw arises from improper neutralization of user-supplied input during web page generation, which can allow an attacker to inject malicious scripts into web pages viewed by other users. The CVSS 3.1 score of 4.8 (medium severity) reflects that the attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), indicating the vulnerability can affect resources beyond the vulnerable component. Successful exploitation could lead to limited confidentiality and integrity impacts, such as theft of session tokens, user credentials, or manipulation of displayed data. Availability is not impacted. No public exploits are known at this time. The vulnerability is significant in environments where Priority Web is used for sensitive business processes, especially if users with high privileges are targeted. The lack of current patches requires organizations to implement compensating controls until vendor fixes are released.

For European organizations, exploitation of this XSS vulnerability could lead to unauthorized disclosure of sensitive information, including session cookies or personal data, potentially violating GDPR requirements. Integrity of displayed information could be compromised, misleading users or enabling phishing attacks within the trusted application context. Although availability is unaffected, the breach of confidentiality and integrity could disrupt business operations and damage reputation. Sectors such as finance, healthcare, and government using Priority Web are particularly vulnerable due to the sensitivity of their data and regulatory scrutiny. The requirement for high privileges and user interaction reduces the likelihood of widespread exploitation but does not eliminate risk, especially in environments with insufficient privilege management or user awareness. Attackers could leverage this vulnerability as a foothold for further attacks or lateral movement within networks.

Organizations should prioritize applying official patches from Priority once available. Until then, implement strict input validation and output encoding on all user-supplied data in Priority Web interfaces to prevent script injection. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. Limit high privilege user accounts and enforce the principle of least privilege to reduce attack surface. Conduct user training to recognize and avoid phishing attempts that could trigger the vulnerability. Monitor web application logs for suspicious activity indicative of XSS attempts. Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS patterns specific to Priority Web. Regularly review and update security configurations and perform penetration testing focused on XSS vulnerabilities.