CVE-2025-65300 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Coohom SaaS Platform, version feVersion=1760060603897, specifically within the Account Settings module. The vulnerability arises because the platform fails to properly sanitize user input in the Address fields—namely City, State, and Country/Region. When a user inputs malicious JavaScript code into these fields, the code is stored and subsequently rendered back to any user who views the affected profile page. This stored XSS flaw allows attackers to execute arbitrary scripts in the context of the victim's browser session. The consequences include session hijacking, cookie theft, and potentially further exploitation such as credential theft or unauthorized actions performed on behalf of the victim. The vulnerability was published on December 9, 2025, but no CVSS score has been assigned yet, and there are no known exploits in the wild. Exploitation requires the attacker to inject malicious input and the victim to view the compromised profile page, meaning user interaction is necessary. The lack of input sanitization and output encoding in a SaaS platform that likely serves multiple organizations increases the risk of widespread impact if exploited. This vulnerability primarily threatens the confidentiality and integrity of user sessions and data within the Coohom platform.

For European organizations, this vulnerability poses a significant risk to user data confidentiality and session integrity, especially for those relying on Coohom SaaS for design, architecture, or real estate services where profile and address data are commonly used. Successful exploitation could lead to unauthorized access to user accounts, theft of session cookies, and potential lateral movement within organizational resources if session tokens are reused or linked to internal systems. This could result in data breaches, reputational damage, and compliance violations under GDPR due to unauthorized data exposure. The stored nature of the XSS means that multiple users can be affected once the malicious payload is stored, increasing the attack surface. Although no known exploits exist yet, the ease of injecting malicious scripts into address fields and the commonality of user interaction with profile pages make this a credible threat. The impact on availability is limited, but the integrity and confidentiality impacts are high. Organizations using Coohom SaaS in Europe should consider this vulnerability a priority for remediation to prevent targeted phishing or social engineering campaigns leveraging this flaw.

To mitigate this vulnerability, Coohom SaaS platform operators must implement strict input validation and sanitization on all user-supplied data fields, especially those rendered back to users such as City, State, and Country/Region in the Account Settings module. Employing context-aware output encoding (e.g., HTML entity encoding) before rendering user input on web pages is critical to prevent script execution. Additionally, adopting Content Security Policy (CSP) headers can help reduce the impact of any injected scripts by restricting script sources. Organizations using Coohom should monitor user profiles for suspicious input and educate users to be cautious when viewing profiles from untrusted sources. Regular security audits and penetration testing focused on input handling should be conducted. If possible, disabling or restricting the display of user-generated content in sensitive areas until patches are applied can reduce risk. Finally, Coohom should release and communicate patches promptly once available, and organizations should apply them without delay.