CVE-2025-62899 identifies a stored Cross-site Scripting (XSS) vulnerability in the Photospace Responsive web design product developed by THRIVE - Web Design Gold Coast. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be stored on the server and later executed in the browsers of users who visit the affected pages. This type of vulnerability is particularly dangerous because the malicious payload persists and can affect multiple users without requiring repeated exploitation. The vulnerability affects all versions up to and including 2.2.0, although the exact range is not fully specified. The CVSS 3.1 base score is 5.4, indicating medium severity, with the vector string AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This means the attack can be launched remotely over the network with low attack complexity, requires low privileges (authenticated user), and user interaction (clicking a link or visiting a page) is necessary. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the vulnerable component. The impact affects confidentiality and integrity partially but does not affect availability. There are no known exploits in the wild at the time of publication. The vulnerability was reserved on 2025-10-24 and published on 2025-10-27. No patches or mitigations have been officially released yet, but standard XSS mitigation techniques apply. Stored XSS can lead to session hijacking, credential theft, defacement, or distribution of malware, making it a significant risk for web applications relying on Photospace Responsive. The vulnerability is cataloged in the CVE database and assigned by Patchstack.

For European organizations using Photospace Responsive in their web infrastructure, this vulnerability poses a risk of persistent cross-site scripting attacks that can compromise user sessions, steal sensitive information, or alter website content. The partial confidentiality and integrity impact means attackers could access or manipulate data accessible through the vulnerable web pages. Although availability is not affected, the reputational damage and potential data breaches could have regulatory consequences under GDPR. Organizations with customer-facing websites or internal portals built on this product are particularly at risk. The requirement for low privileges and user interaction means attackers might exploit compromised or insider accounts to inject malicious scripts, which then affect other users. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure. The medium severity rating suggests that while the vulnerability is not critical, it should be addressed promptly to prevent exploitation and potential compliance issues.

1. Monitor official channels from THRIVE - Web Design Gold Coast for patches or updates addressing CVE-2025-62899 and apply them immediately upon release. 2. Implement strict input validation on all user-supplied data to ensure that scripts or HTML tags are sanitized or rejected before storage or rendering. 3. Employ context-sensitive output encoding (e.g., HTML entity encoding) when displaying user input to prevent script execution. 4. Deploy a robust Content Security Policy (CSP) that restricts the execution of inline scripts and limits sources of executable code. 5. Conduct regular security audits and penetration testing focusing on XSS vulnerabilities within the Photospace Responsive environment. 6. Educate users and administrators about the risks of XSS and encourage cautious behavior regarding suspicious links or inputs. 7. Use web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting this product. 8. Limit privileges of users who can submit content to reduce the risk of malicious input injection. 9. Review and harden session management to mitigate session hijacking risks in case of successful XSS exploitation.