CVE-2025-1076
📋 TL;DR
A stored XSS vulnerability in Holded's Activities functionality allows attackers to inject malicious JavaScript into the 'name' and 'icon' parameters. This affects all Holded users who can access the Activities feature. When other users view these activities, the malicious script executes in their browsers.
💻 Affected Systems
- Holded
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to phishing sites, or compromise user accounts through client-side attacks.
Likely Case
Attackers with access to create/edit activities could embed malicious scripts that execute when other users view those activities, potentially stealing session data or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the malicious payloads would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Requires authenticated access to create/edit activities. Stored XSS payloads are simple to craft and execute automatically when viewed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in advisory
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-vulnerability-holded
Restart Required: No
Instructions:
1. Update Holded to latest version
2. Verify Activities functionality properly sanitizes 'name' and 'icon' inputs
3. Test that XSS payloads are no longer executed
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to reject or sanitize HTML/JavaScript in Activities parameters
Content Security Policy
allImplement strict CSP headers to prevent execution of inline scripts
🧯 If You Can't Patch
- Restrict access to Activities creation/editing to trusted users only
- Implement web application firewall rules to block XSS payload patterns
🔍 How to Verify
Check if Vulnerable:
Test by entering XSS payloads like <script>alert('XSS')</script> in Activities name/icon fields and checking if they execute when viewedCheck Version:
Check Holded application version in admin panel or about sectionVerify Fix Applied:
Attempt same XSS payloads and verify they are properly sanitized/encoded and do not execute📡 Detection & Monitoring
Log Indicators:
- Unusual length or content in Activities name/icon fields
- JavaScript patterns in user input logs
Network Indicators:
- Unexpected external script loads from Activities pages
- Suspicious outbound connections after viewing activities
SIEM Query:
source="holded_logs" AND (message="*<script>*" OR message="*javascript:*")