CVE-2025-58987 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the AntoineH Football Pool application up to version 2.12.6. Stored XSS occurs when malicious input is improperly neutralized and then persistently stored by the application, subsequently rendered in web pages without adequate sanitization or encoding. This allows an attacker to inject malicious scripts that execute in the context of other users’ browsers when they view the affected pages. The vulnerability arises from insufficient input validation during web page generation, enabling attackers with at least limited privileges (PR:L) to inject scripts that compromise confidentiality, integrity, and availability of the application and its users. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), and a scope change (S:C) that affects resources beyond the vulnerable component. The impact includes partial loss of confidentiality, integrity, and availability, such as session hijacking, defacement, or redirection to malicious sites. No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation.

For European organizations using AntoineH Football Pool, this vulnerability poses a significant risk to web application security, particularly in environments where the application is used for managing or displaying football pool data involving multiple users. Exploitation could lead to unauthorized access to user sessions, theft of sensitive information, or manipulation of displayed content, undermining user trust and potentially leading to reputational damage. Given the scope change indicated in the CVSS vector, the attack could impact other components or users beyond the initially compromised context. Organizations in sectors such as sports betting, community engagement platforms, or any entity leveraging this software for user interaction are at risk. The need for user interaction to trigger the exploit means phishing or social engineering could be used to amplify impact. Additionally, compliance with GDPR and other European data protection regulations may be jeopardized if personal data is exposed or manipulated, leading to legal and financial consequences.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Immediately review and apply any available patches or updates from AntoineH once released. 2) In the absence of official patches, implement strict input validation and output encoding on all user-supplied data fields within the Football Pool application, especially those that generate web page content. Use context-aware encoding libraries to neutralize script injection vectors. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Conduct thorough code audits focusing on areas where user input is stored and rendered. 5) Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content within the application. 6) Monitor application logs for unusual input patterns or error messages indicative of attempted exploitation. 7) Consider isolating the Football Pool application environment to limit the scope of potential compromise. 8) Integrate web application firewalls (WAF) with rules targeting XSS attack signatures to provide an additional layer of defense.