CVE-2025-65572 is a Cross Site Scripting (XSS) vulnerability identified in AllskyTeam’s AllSky software version 2024.12.06_06. The vulnerability arises from improper sanitization of user-controllable parameters—specifically config, filename, and extratext—passed to the allskySettings.php page. When an attacker injects malicious JavaScript code into any of these parameters, the showMessages() function in status_messages.php outputs error messages that include the injected script without proper encoding or sanitization. This results in the execution of arbitrary scripts in the context of the victim’s browser when the page is reloaded or visited. The vulnerability does not require authentication or privileges but does require user interaction to trigger the script execution. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects that the attack can be launched remotely over the network with low attack complexity, no privileges required, but requires user interaction, and impacts confidentiality and integrity with a scope change. The vulnerability is categorized under CWE-79, which is the standard classification for XSS issues. No patches or known exploits have been reported at the time of publication, but the risk remains significant due to the potential for session hijacking, credential theft, or other malicious actions performed via script execution in the victim’s browser.

For European organizations, especially those involved in astronomy, scientific research, or educational institutions using AllSky software, this vulnerability poses a risk of unauthorized script execution leading to potential data theft, session hijacking, or manipulation of user interactions. The confidentiality of user data and integrity of user sessions can be compromised. Although the vulnerability does not directly affect system availability, the indirect consequences of successful exploitation could disrupt operations or lead to reputational damage. Since the attack requires user interaction, phishing or social engineering could be used to lure users to the vulnerable page. The medium severity rating reflects a moderate but non-negligible risk, particularly in environments where sensitive data or privileged user sessions are involved. European organizations with remote access to AllSky interfaces are particularly vulnerable due to the network attack vector.

To mitigate CVE-2025-65572, organizations should implement strict input validation and output encoding on all user-controllable parameters, especially config, filename, and extratext in allskySettings.php. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. Limit access to the allskySettings.php page to trusted users or internal networks only, using network segmentation or VPNs. Educate users about the risks of clicking on untrusted links that may lead to the vulnerable page. Monitor web server logs for suspicious parameter values indicative of attempted XSS injection. Since no official patch is currently available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting these parameters. Regularly review and update the AllSky software once patches are released by the vendor.