CVE-2025-58645 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Gravitate Automated Tester product up to version 1.4.5. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before embedding it into web pages, allowing malicious actors to inject and store arbitrary JavaScript code. When other users or administrators access the affected pages, the malicious script executes in their browsers within the context of the vulnerable application. The CVSS 3.1 base score is 5.9, reflecting a network attack vector (AV:N), low attack complexity (AC:L), but requiring high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The impact includes limited confidentiality, integrity, and availability losses, as the injected scripts can steal session tokens, manipulate displayed data, or perform actions on behalf of the user. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on September 22, 2025, with the initial reservation on September 3, 2025. The Gravitate Automated Tester is a specialized testing tool, and the vulnerability could be exploited by authenticated users with elevated privileges who can submit crafted inputs that get stored and later rendered to other users.

For European organizations using Gravitate Automated Tester, this vulnerability poses a risk primarily in environments where multiple users access the testing platform, especially if privileged users are involved. Successful exploitation could lead to session hijacking, unauthorized actions performed with elevated privileges, and potential lateral movement within the network. This could compromise the integrity of testing results, leak sensitive project or organizational data, and disrupt availability of the testing service. Given the requirement for high privileges and user interaction, the threat is somewhat limited to insider threats or attackers who have already gained partial access. However, the scope change means that exploitation could impact other components or services integrated with the tester, amplifying potential damage. European organizations in sectors with strict data protection regulations (e.g., GDPR) must be cautious, as exploitation could lead to data breaches and regulatory penalties.

1. Immediate mitigation should include restricting access to the Gravitate Automated Tester to trusted, authenticated users with minimal necessary privileges. 2. Implement strict input validation and output encoding on all user-supplied data rendered in the application, particularly in web page generation contexts. 3. Monitor and audit logs for unusual input patterns or script injection attempts. 4. Until an official patch is released, consider deploying Web Application Firewalls (WAFs) with rules targeting common XSS payloads specific to Gravitate Automated Tester. 5. Educate users and administrators about the risks of clicking on suspicious links or executing untrusted scripts within the application. 6. Regularly check for vendor updates or patches and apply them promptly once available. 7. Conduct internal penetration testing focusing on stored XSS vectors within the testing platform to identify and remediate any additional weaknesses.