Stored cross-site scripting (XSS)

DATE

2025-04-05

Affected Vendor

CIRCL – Computer Incident Response Center Luxembourg

Affected Product

Vulnerability Lookup – an open-source sharing platform to assist security teams, researchers, and system administrators in identifying and tracking vulnerabilities related to specific vendors and products – www.vulnerability-lookup.org

Vulnerable version

2.7.0

Fixed version

2.7.1

CVSS

6.4 Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Recommendations

Update to version 2.7.1 or newer

Vulnerability details

A stored cross-site scripting (XSS) vulnerability has been discovered in the Vulnerability Lookup web application.

An authenticated malicious user can inject JavaScript code into the user’s own bio page. This JavaScript code is then executed in the browsers of other authenticated users who visit the malicious user’s view page.

It is possible to use this vulnerability to steal other users’ API keys.

Below is a sample JavaScript payload that demonstrates how to access the API key:

When a victim user visits the profile of a user with malicious JavaScript code. Their API key will be alerted as shown below:

CVE

CVE-2025-32413

Credits

Dawid Czarnecki

References

Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.

Have Any Questions?

Vulnerability Lookup – Stored cross-site scripting (XSS)

NEED A CONSULTATION?

contact@zigrin.com

GPG Key

Get a free consultation