CVE-2025-62752 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the kalender.digital Calendar.online / Kalender.digital product line, specifically affecting versions up to 1.0.11. The root cause is improper neutralization of user-supplied input during web page generation, categorized under CWE-79. This flaw allows attackers to inject malicious JavaScript code that executes within the victim's browser context when they interact with the affected web application. The vulnerability is classified as DOM-based, meaning the malicious script is executed as a result of client-side script processing of unsafe input, rather than server-side injection. The CVSS v3.1 score is 6.5, indicating medium severity, with vector metrics AV:N (Network attack vector), AC:L (Low attack complexity), PR:L (Low privileges required), UI:R (User interaction required), S:C (Scope changed), and impacts on confidentiality, integrity, and availability rated as low. Exploitation requires the attacker to have some privileges and the victim to interact with crafted content, such as clicking a malicious link or opening a manipulated calendar entry. While no known exploits are currently reported in the wild, the vulnerability could be leveraged to steal session tokens, manipulate calendar data, or perform actions on behalf of the user. The vulnerability affects the calendar.digital product, which is used for online calendar management, potentially exposing sensitive scheduling and organizational data. The lack of available patches at the time of reporting necessitates immediate attention to input validation and output encoding practices by administrators and developers. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the risk by restricting script execution sources. The vulnerability's scope change indicates that exploitation could affect resources beyond the initially vulnerable component, increasing the potential impact.

For European organizations using kalender.digital's Calendar.online / Kalender.digital, this vulnerability poses risks including unauthorized access to sensitive calendar information, session hijacking, and potential manipulation of calendar entries. Such impacts can disrupt business operations, lead to data leakage of confidential scheduling information, and facilitate further attacks such as phishing or lateral movement within networks. Given the medium severity and the requirement for user interaction and some privileges, the threat is moderate but significant in environments where calendar data is critical for operational security and privacy. Organizations in sectors like government, finance, healthcare, and critical infrastructure that rely on kalender.digital for scheduling could face increased risks of targeted attacks exploiting this vulnerability. Additionally, the scope change in the vulnerability means that exploitation could affect multiple components or users, amplifying the potential damage. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once patches are released or if the vulnerability becomes publicly known.

1. Monitor kalender.digital vendor communications closely and apply security patches immediately upon release to address CVE-2025-62752. 2. Until patches are available, implement strict input validation and output encoding on all user-supplied data within the calendar application, focusing on sanitizing inputs that affect DOM manipulation. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the risk of XSS exploitation. 4. Limit user privileges within the calendar application to the minimum necessary to reduce the impact of potential exploitation. 5. Educate users about the risks of interacting with untrusted links or calendar entries, emphasizing caution with unexpected or suspicious content. 6. Conduct regular security assessments and penetration testing focusing on client-side vulnerabilities, especially DOM-based XSS. 7. Consider implementing web application firewalls (WAF) with rules tailored to detect and block XSS attack patterns targeting kalender.digital. 8. Review and harden browser security settings and encourage the use of modern browsers with built-in XSS protections. 9. Maintain robust incident response plans to quickly identify and mitigate exploitation attempts if they occur.