CVE-2025-66098 identifies a stored cross-site scripting (XSS) vulnerability in the Camille V Travelers' Map software, versions up to and including 2.3.2. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored on the server and executed in the browsers of other users who access the compromised content. This type of vulnerability is particularly dangerous because it can persist over time and affect multiple users without requiring repeated exploitation. The CVSS 3.1 vector indicates the attack can be performed remotely over the network (AV:N), with low attack complexity (AC:L), but requires privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability at a low level (C:L, I:L, A:L), reflecting potential data leakage, unauthorized script execution, and possible service disruption. No known exploits are currently reported in the wild, but the vulnerability should be considered a medium risk due to its potential impact and ease of exploitation once privileges and user interaction are present. The vulnerability affects web applications used for travel mapping and related services, which may be integrated into travel agencies, tourism platforms, or related business environments. The lack of available patches at the time of publication necessitates immediate attention to input validation and monitoring.

For European organizations, especially those in the travel, tourism, and hospitality sectors using Camille V Travelers' Map, this vulnerability can lead to unauthorized script execution in users' browsers, potentially exposing sensitive user data such as session tokens, personal information, or allowing actions on behalf of users. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and operational disruptions if attackers leverage the vulnerability to inject malicious payloads or conduct phishing attacks. The medium severity score reflects moderate risk, but the changed scope indicates that the vulnerability could affect multiple components or users beyond the initial target. Organizations relying on this software for customer-facing services or internal travel management may face increased risk of targeted attacks. Additionally, the requirement for user interaction and privileges means that insider threats or compromised accounts could be leveraged to exploit this vulnerability, increasing its potential impact.

1. Apply official patches or updates from Camille V as soon as they become available to remediate the vulnerability. 2. Implement strict server-side input validation and output encoding to neutralize potentially malicious input before rendering it in web pages. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Conduct regular security audits and code reviews focusing on input handling and sanitization in the Travelers' Map application. 5. Monitor web application logs and user activity for unusual behavior indicative of exploitation attempts. 6. Educate users and administrators about the risks of XSS and the importance of cautious interaction with untrusted content. 7. Limit user privileges to the minimum necessary to reduce the risk of exploitation by low-privileged users. 8. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting this application.