CVE-2025-57540 is a stored cross-site scripting (XSS) vulnerability identified in the WebAuthn Relying Party field within the Datacenter configuration interface of Proxmox Virtual Environment (PVE) version 8.4. This vulnerability allows authenticated users to inject malicious JavaScript code into the configuration page. When other users access this page, the injected script executes in their browsers, enabling client-side attacks such as session hijacking, credential theft, or further exploitation of the victim's browser environment. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope changed (S:C), and impacts on confidentiality and integrity but not availability (C:L/I:L/A:N). No public exploits are currently known, and no patches have been linked yet. The vulnerability requires an authenticated user to inject the payload, and the attack depends on other users viewing the compromised configuration page, which broadens the scope due to the scope change (S:C).

For European organizations using Proxmox VE 8.4, this vulnerability poses a risk primarily to internal users who have access to the Datacenter configuration interface. Since Proxmox VE is widely used for virtualization and container management in data centers and enterprise environments, exploitation could lead to unauthorized access to sensitive session tokens or credentials, potentially allowing lateral movement within the network. The confidentiality and integrity of user sessions and data could be compromised, leading to data leakage or manipulation. While availability is not directly impacted, the indirect consequences of such client-side attacks could disrupt administrative operations. European organizations with multi-tenant environments or shared administrative consoles are particularly at risk, as the injected scripts could affect multiple users. The requirement for authentication and user interaction limits the attack surface but does not eliminate risk, especially in environments with many administrators or operators. The lack of known exploits suggests limited current exploitation, but the medium severity score indicates that timely mitigation is important to prevent future attacks.

To mitigate this vulnerability, European organizations should first verify if they are running Proxmox VE version 8.4 and restrict access to the Datacenter configuration interface to trusted administrators only. Implement strict input validation and sanitization on the WebAuthn Relying Party field to prevent injection of malicious scripts. Until an official patch is released, consider disabling or limiting the use of the WebAuthn feature within the Datacenter configuration if feasible. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the administrative interface. Regularly audit user privileges to ensure only necessary personnel have configuration access. Additionally, educate administrators about the risks of stored XSS and encourage cautious behavior when interacting with configuration pages. Monitor logs for unusual activity related to configuration changes or script injections. Finally, stay updated with Proxmox security advisories for patches or workarounds addressing this vulnerability.