CVE-2025-7761 (GCVE-0-2025-7761)
Vulnerability from cvelistv5 – Published: 2025-08-14 10:01 – Updated: 2025-08-14 14:49
VLAI?
Title
Reflected XSS in Lepszy BIP
Summary
Lepszy BIP is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in index.php form in one of the parameters allows arbitrary JavaScript to be executed on victim's browser when specially crafted URL is opened.
The vendor was contacted early about this disclosure but did not respond in any way. Potentially all versions are vulnerable.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Akcess-Net | Lepszy BIP |
Affected:
0 , ≤ *.*
(semver)
|
Credits
Kamil Szczurowski
Robert Kruczek
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7761",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T13:36:04.731500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:49:01.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.lepszybip.pl/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Lepszy BIP",
"vendor": "Akcess-Net",
"versions": [
{
"lessThanOrEqual": "*.*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kamil Szczurowski"
},
{
"lang": "en",
"type": "finder",
"value": "Robert Kruczek"
}
],
"datePublic": "2025-08-14T09:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lepszy BIP is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in\u0026nbsp;\u003ctt\u003eindex.php\u0026nbsp;\u003c/tt\u003eform in one of the parameters\u0026nbsp;allows arbitrary JavaScript to be executed on victim\u0027s browser when specially crafted URL is opened.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe vendor was contacted early about this disclosure but did not respond in any way. Potentially all versions are vulnerable.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Lepszy BIP is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in\u00a0index.php\u00a0form in one of the parameters\u00a0allows arbitrary JavaScript to be executed on victim\u0027s browser when specially crafted URL is opened.\n\nThe vendor was contacted early about this disclosure but did not respond in any way. Potentially all versions are vulnerable."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T10:01:38.710Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2025/07/CVE-2025-7761"
},
{
"tags": [
"product"
],
"url": "https://www.lepszybip.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected XSS in Lepszy BIP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-7761",
"datePublished": "2025-08-14T10:01:38.710Z",
"dateReserved": "2025-07-17T14:06:46.777Z",
"dateUpdated": "2025-08-14T14:49:01.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-7761\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2025-08-14T10:15:29.300\",\"lastModified\":\"2025-08-14T15:15:42.117\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Lepszy BIP is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in\u00a0index.php\u00a0form in one of the parameters\u00a0allows arbitrary JavaScript to be executed on victim\u0027s browser when specially crafted URL is opened.\\n\\nThe vendor was contacted early about this disclosure but did not respond in any way. Potentially all versions are vulnerable.\"},{\"lang\":\"es\",\"value\":\"Lepszy BIP es vulnerable a ataques de Cross-Site Scripting (XSS) reflejado. La validaci\u00f3n incorrecta de la entrada en el formato index.php en uno de los par\u00e1metros permite la ejecuci\u00f3n de JavaScript arbitrario en el navegador de la v\u00edctima al abrir una URL especialmente manipulada. Se contact\u00f3 al proveedor con antelaci\u00f3n para informarle sobre esta revelaci\u00f3n, pero no respondi\u00f3. Potencialmente, todas las versiones son vulnerables.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://cert.pl/posts/2025/07/CVE-2025-7761\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://www.lepszybip.pl/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://www.lepszybip.pl/\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-7761\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-14T13:36:04.731500Z\"}}}], \"references\": [{\"url\": \"https://www.lepszybip.pl/\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-14T13:36:08.673Z\"}}], \"cna\": {\"title\": \"Reflected XSS in Lepszy BIP\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Kamil Szczurowski\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Robert Kruczek\"}], \"impacts\": [{\"capecId\": \"CAPEC-591\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-591 Reflected XSS\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Akcess-Net\", \"product\": \"Lepszy BIP\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"*.*\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2025-08-14T09:55:00.000Z\", \"references\": [{\"url\": \"https://cert.pl/posts/2025/07/CVE-2025-7761\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.lepszybip.pl/\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Lepszy BIP is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in\\u00a0index.php\\u00a0form in one of the parameters\\u00a0allows arbitrary JavaScript to be executed on victim\u0027s browser when specially crafted URL is opened.\\n\\nThe vendor was contacted early about this disclosure but did not respond in any way. Potentially all versions are vulnerable.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Lepszy BIP is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in\u0026nbsp;\u003ctt\u003eindex.php\u0026nbsp;\u003c/tt\u003eform in one of the parameters\u0026nbsp;allows arbitrary JavaScript to be executed on victim\u0027s browser when specially crafted URL is opened.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThe vendor was contacted early about this disclosure but did not respond in any way. Potentially all versions are vulnerable.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2025-08-14T10:01:38.710Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-7761\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-14T14:49:01.373Z\", \"dateReserved\": \"2025-07-17T14:06:46.777Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2025-08-14T10:01:38.710Z\", \"assignerShortName\": \"CERT-PL\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…