CVE-2025-58987 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the AntoineH Football Pool application up to version 2.12.6. Stored XSS occurs when malicious input is improperly neutralized and subsequently stored by the web application, later being served to users without adequate sanitization or encoding. In this case, the vulnerability allows an attacker with at least some level of privileges (PR:L - privileges required: low) and requiring user interaction (UI:R) to inject malicious scripts into the Football Pool web pages. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, defacement, or further exploitation of the victim's environment. The CVSS 3.1 base score is 6.5 (medium severity), reflecting a network attack vector (AV:N), low attack complexity (AC:L), partial confidentiality, integrity, and availability impacts (C:L/I:L/A:L), and scope change (S:C), indicating that the vulnerability affects components beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from insufficient input validation and output encoding during web page generation, a common issue in web applications that handle user-generated content. Football Pool is a web-based application used to manage football (soccer) pools, often deployed by sports communities or organizations to facilitate betting or prediction games. The lack of patches and the presence of stored XSS make this a significant risk if exploited, especially in environments where users have elevated privileges or sensitive data is handled.

For European organizations using AntoineH Football Pool, this vulnerability poses a moderate risk. Stored XSS can lead to session hijacking, allowing attackers to impersonate legitimate users, potentially including administrators. This can result in unauthorized access to sensitive user data, manipulation of pool results, or defacement of the application, damaging organizational reputation. In environments where Football Pool is integrated with other internal systems or user authentication mechanisms, the scope change indicated by the CVSS vector suggests that exploitation could impact multiple components, increasing the risk of broader compromise. Additionally, the vulnerability could be leveraged as a foothold for further attacks, such as phishing or malware distribution, especially if users are tricked into executing malicious scripts. Given that the attack requires user interaction, the risk is somewhat mitigated by user awareness, but social engineering could facilitate exploitation. European organizations with active user communities or public-facing deployments of Football Pool are particularly at risk. The impact on confidentiality, integrity, and availability, though partial, is significant enough to warrant prompt attention.

1. Immediate mitigation should include implementing strict input validation and output encoding on all user-supplied data rendered in web pages, following OWASP XSS prevention guidelines. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 3. Conduct a thorough code review of the Football Pool application focusing on all points where user input is accepted and displayed, ensuring proper sanitization. 4. Isolate the Football Pool application environment from critical internal systems to limit the scope of potential compromise. 5. Educate users about the risks of clicking on suspicious links or interacting with unexpected content within the application. 6. Monitor web application logs for unusual input patterns or error messages that could indicate attempted exploitation. 7. Since no official patches are currently available, consider applying virtual patching via web application firewalls (WAFs) configured to detect and block typical XSS payloads targeting Football Pool. 8. Engage with the vendor or community maintaining Football Pool to obtain or expedite patches and updates addressing this vulnerability. 9. Regularly update and patch the underlying web server and platform components to reduce the attack surface.