CVE-2025-27921: Reflected Cross-Site Scripting (XSS) Vulnerability
Published: 2024-12-25
Title: Reflected Cross-Site Scripting (XSS) Vulnerability
Impact: Remote code execution in the victim’s browser
Affected Versions: All versions earlier than V2.0.63
Fixed Version: V2.0.63
Description
A reflected cross-site scripting (XSS) vulnerability was discovered in Output Messenger version V2.0.62, where unsanitized input could be injected into the web application’s response. This vulnerability occurs when user-controlled input is reflected back into the browser without proper sanitization or encoding.
This allows attackers to inject and execute arbitrary JavaScript in the victim’s browser, leading to potential exploitation of the session or other client-side attacks.
Impact
Remote attackers can inject and execute arbitrary JavaScript in the context of the victim’s session. This could lead to:
- Session hijacking
- Phishing attacks
- Other client-side exploits
Important: This vulnerability may allow attackers to gain control of user sessions, steal sensitive information, or launch additional malicious actions in the context of the victim’s session.
Fixed Version
The vulnerability was fixed in Output Messenger version V2.0.63. Users are strongly encouraged to upgrade to this version to mitigate the risk associated with this issue.
References
- Fixed Version Download: Download V2.0.63
- Release Notes: View Release Notes
- CVE Identifier: CVE-2025-27921
Acknowledgments
We thank Microsoft Security Response Center for responsibly disclosing this issue and helping us address it in a timely manner.