CVE-2025-32413
📋 TL;DR
Vulnerability-Lookup versions before 2.7.1 contain a stored cross-site scripting (XSS) vulnerability in the user bio field. This allows attackers to inject malicious scripts that execute when other users view the affected profile. All users of vulnerable versions who can view user profiles are potentially affected.
💻 Affected Systems
- Vulnerability-Lookup
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through credential theft.
Likely Case
Attackers inject malicious scripts in user bios that execute when other users view those profiles, potentially stealing session tokens or performing limited unauthorized actions.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any impact.
🎯 Exploit Status
Exploitation requires the ability to create or modify a user profile with a malicious bio, but the complexity is low once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.1
Vendor Advisory: https://github.com/vulnerability-lookup/vulnerability-lookup/commit/0a120af1de4a0a13bc2e2000f3c4639291122ba0
Restart Required: Yes
Instructions:
1. Backup your current installation. 2. Update to version 2.7.1 using pip: 'pip install vulnerability-lookup==2.7.1'. 3. Restart the Vulnerability-Lookup service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable User Bio Functionality
allTemporarily disable or restrict the user bio field in the web interface to prevent XSS injection.
Modify website/web/views/user.py to remove or sanitize bio field input
Implement WAF Rules
allConfigure web application firewall rules to block XSS patterns in user bio submissions.
Add WAF rules to detect and block script tags and JavaScript in POST requests to user profile endpoints
🧯 If You Can't Patch
- Implement strict input validation to sanitize all user bio content before storage
- Apply output encoding when displaying user bios to prevent script execution
🔍 How to Verify
Check if Vulnerable:
Check if your Vulnerability-Lookup version is below 2.7.1 by examining the installed package version.Check Version:
pip show vulnerability-lookup | grep VersionVerify Fix Applied:
After updating to 2.7.1, test by attempting to inject basic XSS payloads in the user bio field and verify they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual length or content in user bio updates
- Multiple failed XSS attempts in user profile modifications
Network Indicators:
- POST requests to user profile endpoints containing script tags or JavaScript patterns
SIEM Query:
source="vulnerability-lookup" AND (event="user_update" AND bio CONTAINS "<script>" OR bio CONTAINS "javascript:")