CVE-2025-44206
📋 TL;DR
This CVE describes a Cross-Site Scripting (XSS) vulnerability in Hexagon HxGN OnCall Dispatch Advantage products. Remote authenticated attackers with access to the Broadcast (Person) functionality can inject malicious scripts that execute in victims' browsers. This affects organizations using vulnerable versions of the web and mobile applications.
💻 Affected Systems
- Hexagon HxGN OnCall Dispatch Advantage (Web)
- Hexagon HxGN OnCall Dispatch Advantage (Mobile)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.
Likely Case
Attackers steal session tokens to hijack user accounts, potentially accessing sensitive dispatch data or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the attack surface is reduced, though authenticated users could still be targeted.
🎯 Exploit Status
Exploitation requires authenticated access. XSS attacks typically have low complexity once the injection point is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://hexagon.com/products/hxgn-oncall-dispatch/
Restart Required: No
Instructions:
Check Hexagon's official advisory for patch availability and installation instructions. Update to a patched version when released.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd CSP headers to restrict script execution sources and reduce XSS impact
Add 'Content-Security-Policy' header to web server configuration
Restrict Broadcast Function Access
allLimit which authenticated users can access the Broadcast (Person) functionality
Configure role-based access controls in application settings
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads
- Monitor for suspicious activity in Broadcast functionality logs and implement user education about phishing risks
🔍 How to Verify
Check if Vulnerable:
Check application version against affected versions. Test Broadcast functionality for input validation issues.Check Version:
Check application settings or about page for version informationVerify Fix Applied:
Verify application has been updated to a version not listed in affected versions. Test that script injection in Broadcast functionality is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to Broadcast functionality
- Multiple failed script injection attempts in input fields
Network Indicators:
- HTTP requests containing script tags or JavaScript in Broadcast-related parameters
SIEM Query:
source="application_logs" AND (event="Broadcast" OR function="Person") AND (message CONTAINS "<script>" OR message CONTAINS "javascript:")