CVE-2025-61074 is a stored Cross-Site Scripting (XSS) vulnerability identified in the SchwarzeBrett bulletin board module of the adata Software GmbH Mitarbeiter Portal, version 2.15.2.0. This vulnerability arises from insufficient sanitization or encoding of user-supplied input in the 'Inhalt' parameter during the creation or editing of messages via the endpoints '/SchwarzeBrett/Nachrichten/CreateNachricht' and '/SchwarzeBrett/Nachrichten/EditNachricht/'. Because the malicious script is stored persistently, any authenticated user who views the infected message will have the attacker's JavaScript executed in their browser context. This can lead to a range of attacks including session hijacking, theft of sensitive information, unauthorized actions performed on behalf of the user, or spreading malware within the internal network. The vulnerability requires the attacker to be an authenticated user, which limits exploitation to insiders or compromised accounts. However, no user interaction beyond viewing the malicious message is needed for the payload to execute. Currently, there are no known public exploits or patches available, and no CVSS score has been assigned. The vulnerability was reserved in late September 2025 and published in December 2025. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors. Stored XSS vulnerabilities in internal portals are particularly dangerous as they can facilitate lateral movement and privilege escalation within organizations.

For European organizations, this vulnerability poses a significant risk to internal security, especially in companies using the adata Mitarbeiter Portal for employee communications and collaboration. Exploitation could lead to unauthorized access to sensitive employee data, session hijacking, and potential spread of malware or further exploitation within the corporate network. The requirement for authentication means that attackers must already have some level of access, but this could be leveraged to escalate privileges or compromise additional accounts. The impact on confidentiality and integrity is high, as attackers can steal credentials or manipulate user actions. Availability impact is lower but could occur if attackers inject disruptive scripts. Organizations with large user bases relying on this portal for daily operations may face operational disruptions and reputational damage if exploited. The absence of patches or mitigations increases the urgency for interim protective measures.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the 'Inhalt' parameter to prevent malicious scripts from being stored and executed. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts in browsers. Access controls should be reviewed to limit the number of users who can create or edit bulletin board messages. Monitoring and logging of bulletin board activity can help detect suspicious behavior. User education on phishing and social engineering risks related to internal portals is also beneficial. If possible, isolate the Mitarbeiter Portal network segment to reduce lateral movement risks. Organizations should engage with adata Software GmbH for patches or updates and apply them promptly once available. In the interim, consider disabling the SchwarzeBrett module if feasible or restricting its use to trusted users only.