CVE-2025-6923 identifies a reflected Cross-site Scripting (XSS) vulnerability in TalentSoft Software's UNIS product, affecting versions prior to 42957. This vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before incorporating it into dynamically generated web pages, allowing attackers to craft malicious URLs or input fields that inject executable JavaScript code. When a victim interacts with such crafted content, the malicious script executes within their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is exploitable remotely over the network without requiring authentication (AV:N/AC:L/PR:N), but it does require user interaction (UI:R), such as clicking a malicious link. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The CVSS v3.1 base score is 5.4, reflecting low to moderate impact on confidentiality and integrity, with no impact on availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a credible risk. The affected product, TalentSoft UNIS, is an enterprise software solution widely used for HR and talent management, making it a valuable target for attackers aiming to compromise user sessions or harvest sensitive information through social engineering attacks.

For European organizations, the reflected XSS vulnerability in TalentSoft UNIS could lead to targeted phishing or spear-phishing campaigns where attackers trick users into clicking malicious links that execute scripts in their browsers. This can result in session hijacking, unauthorized access to user accounts, or manipulation of displayed content, potentially undermining user trust and data integrity. Although the vulnerability does not directly affect system availability, the confidentiality and integrity of user sessions and data can be compromised. Organizations handling sensitive HR data or personal information are at particular risk, as attackers could leverage this vulnerability to escalate attacks or move laterally within networks. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially given the widespread use of TalentSoft UNIS in European enterprises. Failure to address this vulnerability could lead to reputational damage, regulatory non-compliance under GDPR due to data exposure, and potential financial losses from fraud or data breaches.

Organizations should monitor TalentSoft's official channels for patches addressing this vulnerability and apply them promptly once released. In the interim, implement strict input validation and output encoding on all user-supplied data within the UNIS application environment to prevent script injection. Deploy Content Security Policies (CSP) to restrict the execution of unauthorized scripts in browsers. Educate users about the risks of clicking unsolicited links, especially those purporting to be from internal HR systems. Employ web application firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting TalentSoft UNIS. Conduct regular security assessments and penetration testing focused on web application input handling. Additionally, review and harden session management mechanisms to reduce the impact of potential session hijacking. Logging and monitoring for unusual user activity can help detect exploitation attempts early.