CVE-2025-60948 is a stored cross-site scripting vulnerability identified in Census CSWeb version 8.0.1. The vulnerability arises from improper input sanitization and neutralization during web page generation, classified under CWE-79. An authenticated attacker can inject malicious JavaScript code into user-supplied fields that are stored and subsequently rendered in the web application without adequate encoding or filtering. When other users access the affected pages, the malicious script executes in their browsers, potentially allowing the attacker to steal session cookies, perform actions on behalf of the victim, or conduct other malicious activities within the context of the victim's session. The attack vector requires the attacker to have valid credentials (low privilege) and involves user interaction to trigger the payload. The vulnerability does not affect availability but impacts confidentiality and integrity to a limited extent. The CVSS v3.1 base score is 4.6, reflecting medium severity, with attack vector network, low attack complexity, privileges required, and user interaction needed. The issue was addressed in Census CSWeb version 8.1.0 alpha, which implements proper input validation and output encoding to prevent script injection. No public exploits have been reported to date, but the vulnerability poses a risk to organizations relying on this software for web-based services.

The primary impact of CVE-2025-60948 is on the confidentiality and integrity of user data within Census CSWeb environments. Successful exploitation can lead to session hijacking, unauthorized actions performed on behalf of legitimate users, and potential theft of sensitive information accessible through the web application. Although the vulnerability requires authentication and user interaction, it can facilitate lateral movement or privilege escalation within an organization if attackers compromise user accounts. The risk is heightened in environments where Census CSWeb is used for critical or sensitive operations, as attackers could manipulate workflows or exfiltrate data. However, the lack of impact on availability and the medium CVSS score indicate a moderate threat level. Organizations with many users or high-value data exposed through CSWeb are at greater risk, especially if patching is delayed. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate CVE-2025-60948, organizations should promptly upgrade Census CSWeb to version 8.1.0 or later, where the vulnerability is fixed. In the interim, apply strict input validation and output encoding on all user-supplied data fields to prevent script injection. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit user privileges to the minimum necessary to reduce the impact of compromised accounts. Conduct regular security training to raise awareness about phishing and social engineering, which could facilitate credential theft. Monitor web application logs for unusual input patterns or repeated failed attempts to inject scripts. Employ web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense. Finally, review and harden session management controls to prevent session fixation or hijacking attacks that could result from XSS exploitation.