CVE-2025-58983 is a Stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the web application component 'Include Me' developed by Stefano Lissa, up to version 1.3.2. Stored XSS occurs when malicious input is improperly neutralized and then permanently stored by the application, later served to users without proper sanitization. This vulnerability allows an attacker with authenticated access (as indicated by the CVSS vector requiring High privileges and user interaction) to inject malicious scripts into web pages generated by Include Me. When other users view these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. The CVSS score of 5.9 (medium severity) reflects the moderate impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, but requiring privileges and user interaction. The vulnerability has not been reported exploited in the wild yet, and no official patches are currently linked. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component, increasing potential impact. Since Include Me is a web application component, the vulnerability primarily threatens web servers and their users where this software is deployed.

For European organizations using Include Me, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data confidentiality. Attackers exploiting this flaw could impersonate legitimate users, steal sensitive information, or perform unauthorized actions within the affected web applications. This can lead to reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and potential financial losses. The requirement for authenticated access and user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments with many users or weak internal controls. Organizations in sectors with high web presence such as e-commerce, government portals, or online services are particularly vulnerable. Additionally, the scope change indicates that the vulnerability could impact multiple components or user roles, increasing the breadth of potential damage.

1. Immediate mitigation should include implementing strict input validation and output encoding on all user-supplied data within Include Me, especially for fields that are stored and later rendered in web pages. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Limit user privileges to the minimum necessary to reduce the risk of exploitation by authenticated users. 4. Monitor logs for unusual input patterns or script injections indicative of attempted exploitation. 5. If possible, isolate the Include Me component within a segmented network zone to reduce lateral movement. 6. Since no official patch is currently available, consider temporary removal or disabling of vulnerable functionalities until a fix is released. 7. Educate users about phishing and social engineering risks that could facilitate exploitation requiring user interaction. 8. Regularly review and update web application firewalls (WAFs) with rules to detect and block XSS payloads targeting Include Me.