Login Sign Up

CVE-2025-25620

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

Unifiedtransform 2.0 contains a cross-site scripting vulnerability in the Create Assignment function that allows attackers to inject malicious scripts. This affects administrators and users who access the assignment creation interface. The vulnerability could lead to session hijacking, credential theft, or unauthorized actions.

💻 Affected Systems

Products:
  • Unifiedtransform
Versions: 2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the web interface; requires user interaction with the Create Assignment function.

📦 What is this software?

Unifiedtransform by Changeweb

View all CVEs affecting Unifiedtransform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, deface the application, or redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies or credentials, enabling unauthorized access to user accounts and sensitive data.

🟢

If Mitigated

With proper input validation and output encoding, the risk is limited to minor UI disruption without significant security impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to the Create Assignment function; proof-of-concept code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and output encoding in the source code or upgrading to a patched version if released.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side input validation to sanitize user input in the Create Assignment function.

Enable Content Security Policy

all

Implement a strict Content Security Policy header to mitigate XSS impact.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers

🧯 If You Can't Patch

  • Disable the Create Assignment function if not essential
  • Implement a web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Test the Create Assignment function by attempting to inject script tags (e.g., <script>alert('XSS')</script>) and check if they execute.

Check Version:

Check the application version in the admin panel or configuration files.

Verify Fix Applied:

After implementing fixes, retest with the same XSS payloads to ensure they are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to assignment creation endpoints with script tags or JavaScript code

Network Indicators:

  • HTTP requests containing suspicious script payloads in assignment-related parameters

SIEM Query:

source="web_logs" AND (url_path="/assignment/create" OR url_path="/create_assignment") AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-25620
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.15% exploit probability (35.5th percentile)
Published: March 10, 2025
Last Updated: June 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25620, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)