CVE-2025-9913 identifies a cross-site scripting (CWE-79) vulnerability in the SICK AG Baggage Analytics product, present in all versions. The vulnerability arises from improper neutralization of input during web page generation, specifically through the dashboard's 'Open in new Tab' button. This flaw permits an attacker to inject and execute arbitrary JavaScript code within the address bar context when a user interacts with this feature. The primary risk is session hijacking, where an attacker can steal session tokens or cookies, compromising user confidentiality. The vulnerability requires the attacker to have authenticated access and for the user to perform an action (clicking the button), which limits remote exploitation but does not eliminate risk. The CVSS 3.1 score is 4.5 (medium), reflecting network attack vector, low attack complexity, required privileges, and user interaction. No integrity or availability impacts are noted. No patches are currently available, and no known exploits have been reported in the wild. The vulnerability is significant for environments where Baggage Analytics is deployed, particularly in airport baggage handling systems, as session hijacking could lead to unauthorized access to sensitive operational data or control interfaces. The root cause is insufficient input sanitization or output encoding in the web interface, allowing JavaScript injection via URL parameters or dashboard controls.

For European organizations, especially those in the transportation, logistics, and airport management sectors using SICK AG's Baggage Analytics, this vulnerability poses a confidentiality risk through session hijacking. Attackers could gain unauthorized access to user sessions, potentially exposing sensitive operational data or enabling further unauthorized actions within the system. While the vulnerability does not affect data integrity or system availability directly, compromised sessions could be leveraged for lateral movement or data exfiltration. The requirement for authenticated access and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks. Given the critical role of baggage analytics in airport operations, any compromise could disrupt workflows or erode trust in system security. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements, and session hijacking incidents could lead to compliance violations and reputational damage.

Organizations should implement strict input validation and output encoding on all user-controllable inputs, particularly those involved in the 'Open in new Tab' dashboard feature. Until a vendor patch is released, disabling or restricting access to this feature for non-essential users can reduce risk. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts. Monitoring user sessions for anomalies and enforcing session timeouts and multi-factor authentication can limit session hijacking consequences. Security teams should conduct regular code reviews and penetration testing focused on web interface vulnerabilities. Additionally, educating users about the risks of interacting with untrusted links or dashboard elements can reduce exploitation chances. Once available, promptly applying vendor patches is critical. Network segmentation of the baggage analytics system and limiting administrative access to trusted personnel further reduce exposure.