CVE-2025-25189

MEDIUM

ZOO-Project <7a5ae1a - XSS

Title source: llm

Description

The ZOO-Project is an open source processing platform. A reflected Cross-Site Scripting vulnerability exists in the ZOO-Project Web Processing Service (WPS) publish.py CGI script prior to commit 7a5ae1a. The script reflects user input from the `jobid` parameter in its HTTP response without proper HTML encoding or sanitization. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context. The vulnerability occurs because the CGI script directly outputs the query string parameters into the HTML response without escaping HTML special characters. An attacker can inject malicious JavaScript code through the `jobid` parameter which will be executed when rendered by the victim's browser. Commit 7a5ae1a contains a fix for the issue.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-pw7m-p9q7-357p

Patch x_refsource_misc

https://github.com/ZOO-Project/ZOO-Project/commit/7a5ae1a10faa2f9877d18ec72550dc23e8ce1aac

View Patch ZIP pw:eip

Scores

CVSS v4 5.5

EPSS 0.0027

EPSS Percentile 50.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

ZOO-Project/ZOO-Project < 7a5ae1a

Published Feb 10, 2025

Tracked Since Feb 18, 2026