CVE-2025-57424

HIGH

MyCourts v3 - Stored Cross-Site Scripting in LTA Number Profile Field

Title source: llm
STIX 2.1

Description

A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which executes in the browser of any user viewing it, including administrators. Due to the absence of the HttpOnly flag on the session cookie, this flaw could be exploited to capture session tokens and hijack user sessions, enabling elevated access.

References (1)

Core 1

Scores

CVSS v3 7.3
EPSS 0.0025
EPSS Percentile 16.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-1004 CWE-79
Status published
Published Sep 29, 2025
Tracked Since Feb 18, 2026