CVE-2025-47201
📋 TL;DR
This cross-site scripting (XSS) vulnerability in Intrexx Portal Server allows attackers to inject malicious JavaScript into HTML pages through Velocity-Scripts. Users who view manipulated pages could have their sessions hijacked or be redirected to malicious sites. All organizations running vulnerable versions of Intrexx Portal Server are affected.
💻 Affected Systems
- Intrexx Portal Server
📦 What is this software?
Intrexx by Intrexx
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, perform actions as authenticated users, deface websites, or redirect users to phishing sites.
Likely Case
Session hijacking, cookie theft, or limited website defacement affecting users who view manipulated content.
If Mitigated
With proper input validation and output encoding, the impact would be minimal as malicious scripts would be neutralized.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity, though specific exploit details aren't publicly documented for this CVE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.0.4
Vendor Advisory: https://security.intrexx.com/en/security-advisories/ixsa-20250429-01/
Restart Required: Yes
Instructions:
1. Download Intrexx Portal Server version 12.0.4 or later from the official vendor portal. 2. Backup your current installation and data. 3. Run the installer/upgrade package. 4. Restart the Intrexx service. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd CSP headers to restrict script execution sources
Add 'Content-Security-Policy' header to web server configuration with appropriate directives
Input Validation Filter
allImplement server-side input validation for Velocity-Script parameters
Modify Velocity templates to escape user input: $encoder.htmlEscape($userInput)
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Disable or restrict access to affected Velocity-Script functionality
🔍 How to Verify
Check if Vulnerable:
Check Intrexx Portal Server version in administration interface or configuration filesCheck Version:
Check Intrexx installation directory for version files or use administration consoleVerify Fix Applied:
Verify version is 12.0.4 or later and test Velocity-Script inputs with XSS payloads📡 Detection & Monitoring
Log Indicators:
- Unusual script tags in request logs
- Suspicious JavaScript in Velocity-Script parameters
- Multiple failed script injection attempts
Network Indicators:
- HTTP requests containing script tags or JavaScript in parameters
- Unusual outbound connections following script execution
SIEM Query:
source="intrexx_logs" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")