CVE-2025-52180
📋 TL;DR
This cross-site scripting vulnerability in Zucchetti Ad Hoc Infinity allows unauthenticated attackers to inject malicious JavaScript into web pages via the pHtmlSource parameter. Attackers can steal session cookies, redirect users to malicious sites, or perform actions on behalf of users. All organizations using Ad Hoc Infinity 4.2 or earlier are affected.
💻 Affected Systems
- Zucchetti Ad Hoc Infinity
📦 What is this software?
Ad Hoc Infinity by Zucchetti
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data theft, and lateral movement within the application by stealing administrator credentials and session tokens.
Likely Case
Session hijacking, credential theft, and defacement of application pages for users who visit malicious links.
If Mitigated
Limited to user interface manipulation without access to sensitive data if proper input validation and output encoding are implemented.
🎯 Exploit Status
Attack requires crafting a malicious URL with JavaScript payload in the pHtmlSource parameter and tricking users into clicking it.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.3 or later
Vendor Advisory: https://www.zucchetti.it/
Restart Required: No
Instructions:
1. Contact Zucchetti support for the latest patched version. 2. Backup current installation. 3. Apply the vendor-provided patch or upgrade to version 4.3+. 4. Test functionality after patching.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the pHtmlSource parameter before processing.
Implement input validation in /ahi/jsp/gsfr_feditorHTML.jsp to strip or encode HTML/JavaScript tags
Web Application Firewall Rules
allConfigure WAF to block requests containing JavaScript in the pHtmlSource parameter.
Add WAF rule: Block requests where pHtmlSource parameter contains <script>, javascript:, or other XSS indicators
🧯 If You Can't Patch
- Implement Content Security Policy headers to restrict script execution
- Disable or restrict access to the vulnerable endpoint via network controls
🔍 How to Verify
Check if Vulnerable:
Test by accessing /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource=<script>alert('XSS')</script> and checking if script executes.Check Version:
Check application version in admin interface or configuration filesVerify Fix Applied:
After patching, repeat the test and verify no script execution occurs. Check that input is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /ahi/jsp/gsfr_feditorHTML.jsp with pHtmlSource parameter containing script tags or JavaScript code
Network Indicators:
- Unusual outbound connections from application server following XSS payload delivery
SIEM Query:
source="web_server" AND uri="/ahi/jsp/gsfr_feditorHTML.jsp" AND query_string="*pHtmlSource=*script*"