CVE-2025-1076 (GCVE-0-2025-1076)

Vulnerability from cvelistv5 – Published: 2025-02-06 13:33 – Updated: 2025-02-13 13:47
VLAI?
Title
Stored Cross-Site Scripting vulnerability in Holded
Summary
A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable ‘name’ and ‘icon’ parameters of the Activities functionality.
Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Holded Holded Affected: all versions
Create a notification for this product.
Credits
Jesús Alcalde Alcázar Diego León Casas
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1076",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-06T14:15:13.488168Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-06T14:15:20.787Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Holded",
          "vendor": "Holded",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jes\u00fas Alcalde Alc\u00e1zar"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Diego Le\u00f3n Casas"
        }
      ],
      "datePublic": "2025-02-06T11:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \u2018name\u2019 and \u2018icon\u2019 parameters of the Activities functionality."
            }
          ],
          "value": "A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \u2018name\u2019 and \u2018icon\u2019 parameters of the Activities functionality."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-13T13:47:45.237Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-vulnerability-holded"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The reported vulnerability was fixed on 2 May 2024. The CSP (Content Security Policy) configuration implemented by Holded is designed to prevent the execution of inline scripts and restrict the uploading of scripts only to domains specified in its whitelist. This effectively mitigates script injection, as is the case with this vulnerability. There is currently no active risk associated with this vulnerability in the Holded platform."
            }
          ],
          "value": "The reported vulnerability was fixed on 2 May 2024. The CSP (Content Security Policy) configuration implemented by Holded is designed to prevent the execution of inline scripts and restrict the uploading of scripts only to domains specified in its whitelist. This effectively mitigates script injection, as is the case with this vulnerability. There is currently no active risk associated with this vulnerability in the Holded platform."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Stored Cross-Site Scripting vulnerability in Holded",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2025-1076",
    "datePublished": "2025-02-06T13:33:07.077Z",
    "dateReserved": "2025-02-06T10:26:29.876Z",
    "dateUpdated": "2025-02-13T13:47:45.237Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-1076\",\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"published\":\"2025-02-06T14:15:30.287\",\"lastModified\":\"2025-02-06T14:15:30.287\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \u2018name\u2019 and \u2018icon\u2019 parameters of the Activities functionality.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado una vulnerabilidad de Cross-Site Scripting (Stored XSS) Almacenado en la aplicaci\u00f3n Holded. Esta vulnerabilidad podr\u00eda permitir a un atacante almacenar un payload de JavaScript dentro de los par\u00e1metros editables \\\"nombre\\\" e \\\"icono\\\" de la funcionalidad Actividades.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-vulnerability-holded\",\"source\":\"cve-coordination@incibe.es\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1076\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-06T14:15:13.488168Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-06T14:15:17.104Z\"}}], \"cna\": {\"title\": \"Stored Cross-Site Scripting vulnerability in Holded\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Jes\\u00fas Alcalde Alc\\u00e1zar\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Diego Le\\u00f3n Casas\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Holded\", \"product\": \"Holded\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The reported vulnerability was fixed on 2 May 2024. The CSP (Content Security Policy) configuration implemented by Holded is designed to prevent the execution of inline scripts and restrict the uploading of scripts only to domains specified in its whitelist. This effectively mitigates script injection, as is the case with this vulnerability. There is currently no active risk associated with this vulnerability in the Holded platform.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The reported vulnerability was fixed on 2 May 2024. The CSP (Content Security Policy) configuration implemented by Holded is designed to prevent the execution of inline scripts and restrict the uploading of scripts only to domains specified in its whitelist. This effectively mitigates script injection, as is the case with this vulnerability. There is currently no active risk associated with this vulnerability in the Holded platform.\", \"base64\": false}]}], \"datePublic\": \"2025-02-06T11:00:00.000Z\", \"references\": [{\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-vulnerability-holded\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \\u2018name\\u2019 and \\u2018icon\\u2019 parameters of the Activities functionality.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \\u2018name\\u2019 and \\u2018icon\\u2019 parameters of the Activities functionality.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"shortName\": \"INCIBE\", \"dateUpdated\": \"2025-02-13T13:47:45.237Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-1076\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T13:47:45.237Z\", \"dateReserved\": \"2025-02-06T10:26:29.876Z\", \"assignerOrgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"datePublished\": \"2025-02-06T13:33:07.077Z\", \"assignerShortName\": \"INCIBE\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.