CVE-2025-57424 is a stored cross-site scripting (XSS) vulnerability identified in the MyCourts v3 application, specifically within the LTA number profile field. This vulnerability allows an attacker to inject arbitrary JavaScript code into their user profile, which is then stored persistently on the server. When other users, including administrators, view the compromised profile, the malicious script executes in their browsers. The absence of the HttpOnly flag on the session cookie exacerbates the risk, as it enables the injected script to access session tokens directly. By capturing these tokens, an attacker can hijack user sessions, potentially gaining unauthorized elevated privileges within the application. This vulnerability is particularly dangerous because it combines persistent XSS with session hijacking capabilities, increasing the attack surface and impact. Although no specific affected versions are listed and no patch links are currently available, the vulnerability was published on September 29, 2025, and is officially recorded in the CVE database. There are no known exploits in the wild at this time, but the technical details indicate a high potential for exploitation due to the nature of stored XSS and session management flaws.

For European organizations using MyCourts v3, this vulnerability poses a significant risk to confidentiality, integrity, and availability of user accounts and potentially sensitive data managed within the application. Attackers exploiting this flaw could impersonate legitimate users, including administrators, leading to unauthorized data access, manipulation, or disruption of services. Given that session tokens can be stolen, attackers might maintain persistent access, complicating incident response and remediation efforts. The impact extends beyond individual users to organizational trust and compliance, especially under GDPR regulations, as unauthorized data exposure could result in regulatory penalties. Additionally, organizations relying on MyCourts v3 for court or legal management functions could face operational disruptions, reputational damage, and legal liabilities if the vulnerability is exploited.

To mitigate this vulnerability effectively, organizations should: 1) Implement strict input validation and output encoding on the LTA number profile field to prevent injection of malicious scripts. 2) Apply the HttpOnly flag to all session cookies to prevent client-side scripts from accessing session tokens. 3) Conduct a thorough security review and penetration testing of the MyCourts v3 application focusing on XSS and session management weaknesses. 4) Monitor application logs and user activity for signs of anomalous behavior indicative of session hijacking or XSS exploitation. 5) Educate users and administrators about the risks of XSS and encourage cautious behavior when viewing user-generated content. 6) Engage with the software vendor or development team to obtain patches or updates addressing this vulnerability as soon as they become available. 7) Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the affected fields. These measures, combined, will reduce the likelihood of successful exploitation and limit potential damage.