CVE-2025-61074 is a stored Cross Site Scripting (XSS) vulnerability identified in the SchwarzeBrett bulletin board module of the adata Software GmbH Mitarbeiter Portal version 2.15.2.0. This vulnerability arises from insufficient sanitization or validation of user-supplied input in the 'Inhalt' parameter during message creation or editing via the endpoints '/SchwarzeBrett/Nachrichten/CreateNachricht' and '/SchwarzeBrett/Nachrichten/EditNachricht/'. Authenticated users can inject malicious JavaScript code that is stored persistently and executed in the browsers of other users when they view the compromised bulletin board messages. The attack vector requires the attacker to have valid credentials (low privilege) and involves user interaction, as victims must view the malicious content for the script to execute. The CVSS 3.1 base score is 4.6, indicating a medium severity level with the vector string AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. This means the attack is network exploitable with low attack complexity, requires privileges and user interaction, and impacts confidentiality and integrity to a limited extent but does not affect availability. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). No patches or public exploits have been reported yet. The vulnerability could be leveraged for session hijacking, theft of sensitive information, or execution of unauthorized actions on behalf of other users within the portal environment. Given the portal’s use in internal employee communications, exploitation could lead to significant trust and security issues within affected organizations.

For European organizations using the adata Software GmbH Mitarbeiter Portal, this vulnerability poses risks primarily to confidentiality and integrity of user sessions and data. Attackers with valid credentials could inject scripts that execute in other users’ browsers, potentially stealing session cookies, credentials, or performing unauthorized actions under the victim’s identity. This could lead to lateral movement within the corporate network, data leakage, or manipulation of internal communications. Although availability is not directly impacted, the reputational damage and potential compliance violations (e.g., GDPR) from data breaches could be significant. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with weak access controls or credential reuse. European organizations with high reliance on this portal for employee communication and collaboration are at increased risk of targeted attacks or insider threats exploiting this vulnerability.

1. Immediate mitigation should include input validation and output encoding on the 'Inhalt' parameter to neutralize malicious scripts before storage and rendering. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in users’ browsers. 3. Enforce strict authentication and session management controls, including multi-factor authentication, to reduce the risk of compromised accounts. 4. Conduct regular security audits and penetration testing focused on web application input handling. 5. Educate users to recognize suspicious content and report anomalies in the bulletin board. 6. If patches become available from adata Software GmbH, apply them promptly. 7. As a temporary workaround, restrict access to the bulletin board module to trusted users only or disable the feature until a fix is applied. 8. Monitor logs for unusual activity related to message creation or editing endpoints to detect potential exploitation attempts.