CVE-2025-8664 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the StarCities E-Municipality Management software developed by Saysis Computer Systems Trade Ltd. Co. This vulnerability arises from improper neutralization of user input during web page generation, allowing malicious actors to inject and execute arbitrary scripts in the context of the affected web application. The flaw exists in versions of StarCities E-Municipality Management prior to 20250825. The vulnerability has a CVSS v3.1 base score of 6.3, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) reveals that the attack can be launched remotely over the network without requiring privileges, but it does require user interaction (e.g., clicking a malicious link). Successful exploitation can lead to limited confidentiality, integrity, and availability impacts, such as theft of session cookies, defacement of web pages, or redirection to malicious sites. No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability is particularly concerning for e-municipality management systems, which often handle sensitive citizen data and provide critical public services, making them attractive targets for attackers aiming to disrupt services or steal information.

For European organizations, especially municipal governments and public sector entities using StarCities E-Municipality Management, this vulnerability poses a risk of unauthorized access to user sessions and potential manipulation of web content. Exploitation could lead to the compromise of citizen data confidentiality, erosion of trust in public digital services, and disruption of municipal operations. Given the nature of e-municipality platforms, attackers might leverage XSS to conduct phishing campaigns targeting citizens or officials, inject malware, or perform privilege escalation if combined with other vulnerabilities. The impact extends beyond technical damage to reputational harm and potential regulatory consequences under GDPR due to data exposure. The medium severity score reflects that while the vulnerability requires user interaction and results in limited direct system control, the criticality of the affected services amplifies the overall risk for European municipalities.

Organizations should prioritize the following specific mitigation steps: 1) Implement strict input validation and output encoding on all user-supplied data within the StarCities E-Municipality Management application, focusing on HTML, JavaScript, and URL contexts to prevent script injection. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 3) Conduct thorough code reviews and security testing (including automated scanning and manual penetration testing) targeting XSS vulnerabilities in all web-facing components of the platform. 4) Educate municipal staff and users about the risks of clicking unknown links or interacting with suspicious content to reduce the likelihood of successful exploitation requiring user interaction. 5) Monitor web application logs for unusual activities indicative of XSS attempts. 6) Engage with Saysis Computer Systems Trade Ltd. Co. to obtain and apply security patches promptly once available. 7) Consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS payloads specific to the StarCities platform.