CVE-2025-58212 is a medium severity vulnerability classified as CWE-79, indicating an Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). Specifically, this vulnerability affects the epeken Epeken All Kurir product, versions up to and including 2.0.1. The vulnerability is DOM-based XSS, meaning that the malicious script injection occurs on the client side through manipulation of the Document Object Model (DOM) rather than server-side injection. This type of XSS arises when client-side scripts write data provided by an attacker to the DOM without proper sanitization or encoding, allowing execution of arbitrary JavaScript in the context of the victim's browser. The CVSS 3.1 base score is 6.5, reflecting a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity, requires low privileges, and user interaction is necessary. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, with a scope change (S:C) meaning the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches are linked yet, suggesting the vulnerability is newly disclosed. The vulnerability could allow attackers to execute arbitrary scripts in the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user within the affected application context.

For European organizations using epeken Epeken All Kurir, this vulnerability poses a risk primarily to web application security and user data confidentiality. Since the product appears to be a courier or logistics-related application, exploitation could lead to unauthorized access to shipment data, customer information, or internal communications. The DOM-based XSS could be leveraged by attackers to steal session cookies, perform actions as legitimate users, or deliver further malware payloads. This could disrupt business operations, damage customer trust, and lead to regulatory non-compliance, especially under GDPR, which mandates protection of personal data. The requirement for user interaction means phishing or social engineering campaigns might be necessary to trigger the exploit, increasing the risk in environments with less security awareness. The scope change in the CVSS vector suggests that the vulnerability could affect multiple components or users beyond the initially vulnerable module, potentially amplifying the impact. Although no active exploits are known, the presence of this vulnerability in a critical logistics platform could attract targeted attacks, especially in sectors reliant on timely and secure delivery services.

To mitigate this vulnerability, organizations should first monitor for official patches or updates from epeken and apply them promptly once available. In the absence of a patch, implement strict input validation and output encoding on all user-controllable inputs that interact with the DOM in the Epeken All Kurir application. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct security awareness training to educate users about the risks of clicking on suspicious links or interacting with untrusted content that could trigger DOM-based XSS. Additionally, perform regular security testing, including automated scanning and manual penetration testing focused on client-side vulnerabilities. If feasible, isolate the application environment and limit user privileges to reduce the potential damage from successful exploitation. Logging and monitoring for unusual user behavior or script execution anomalies can help detect exploitation attempts early.