CVE-2025-64260 is a reflected Cross-site Scripting (XSS) vulnerability identified in the Marco Milesi ANAC XML Bandi di Gara software, a tool used for managing and publishing public procurement notices in XML format. The vulnerability stems from improper neutralization of user-supplied input during the dynamic generation of web pages, which allows attackers to inject malicious JavaScript code into the responses sent to users. When a victim interacts with a crafted URL or input, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability affects all versions up to and including 7.7, with no specific version exclusions noted. The CVSS v3.1 base score is 7.1, reflecting a high severity due to network attack vector (no local access required), low attack complexity, no privileges required, but requiring user interaction. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component, and it impacts confidentiality, integrity, and availability to a limited extent. No known exploits are currently reported in the wild, but the nature of reflected XSS makes it a common vector for phishing and session hijacking attacks. The software is primarily used in European public sector procurement contexts, making government agencies and contractors potential targets. The lack of available patches at the time of publication necessitates immediate mitigation efforts through input validation, output encoding, and security headers.

The impact of CVE-2025-64260 on European organizations is significant, especially for public sector entities involved in procurement and contract management that rely on the ANAC XML Bandi di Gara software. Successful exploitation can lead to theft of user credentials, session hijacking, unauthorized actions on procurement portals, and potential manipulation or disclosure of sensitive procurement data. This can undermine the integrity and confidentiality of public procurement processes, leading to financial loss, reputational damage, and legal consequences under GDPR due to data breaches. Additionally, attackers could use the vulnerability to deliver malware or conduct phishing campaigns targeting employees and contractors. The availability impact, while limited, could disrupt access to procurement information, delaying critical public sector operations. Given the strategic importance of public procurement transparency and integrity in European governance, this vulnerability poses a notable risk to trust and operational continuity.

1. Apply official patches or updates from Marco Milesi as soon as they become available to address the vulnerability directly. 2. Implement strict input validation on all user-supplied data, ensuring that inputs are sanitized and validated against expected formats before processing. 3. Employ proper output encoding (e.g., HTML entity encoding) when reflecting user input in web pages to prevent script execution. 4. Configure Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 5. Use HTTP-only and secure flags on cookies to protect session tokens from theft via XSS. 6. Conduct regular security audits and penetration testing focused on web application security to identify and remediate similar issues proactively. 7. Educate users about the risks of clicking on suspicious links and encourage cautious behavior to reduce the likelihood of successful exploitation. 8. Monitor web server logs and intrusion detection systems for unusual activity indicative of attempted XSS exploitation.