CVE-2025-63416
CRITICALSelfBest 2023.3 - Authenticated Stored Cross-Site Scripting in Chat Functionality
Title source: llmDescription
** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute arbitrary JavaScript in the context of other users' sessions. This can be exploited to access administrative data and functions, leading to privilege escalation and full compromise of sensitive user data, as demonstrated by the ability to fetch and exfiltrate the contents of the /admin/users endpoint.
References (2)
Core 2
Core References
Exploit, Mitigation, Third Party Advisory
https://rohitchaudhary045.medium.com/cve-2025-63416-the-admin-panel-heist-stored-xss-to-privilege-escalation-b4c69d8487f1
Product
https://self.best
Scores
CVSS v3
9.1
EPSS
0.0033
EPSS Percentile
24.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
selfbest/selfbest
2023.3
Published
Nov 05, 2025
Tracked Since
Feb 18, 2026