CVE-2025-55287
📋 TL;DR
This is an authenticated stored XSS vulnerability in the Genealogy PHP application. Authenticated attackers can inject malicious JavaScript that executes in other users' sessions, potentially leading to session hijacking and data theft. Only users with authenticated access to vulnerable versions are affected.
💻 Affected Systems
- Genealogy PHP application
📦 What is this software?
Genealogy by Kreaweb
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover through session hijacking, theft of sensitive family data, and manipulation of the application interface to deceive users.
Likely Case
Session hijacking leading to unauthorized access to family tree data, potential data modification or deletion, and credential theft.
If Mitigated
Limited impact with proper input validation and output encoding in place, though authenticated users could still execute limited JavaScript in their own context.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of vulnerable input fields. The GitHub advisory provides technical details about the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.0
Vendor Advisory: https://github.com/MGeurts/genealogy/security/advisories/GHSA-j457-9m86-6q5r
Restart Required: No
Instructions:
1. Backup your current installation and database. 2. Download version 4.4.0 from the official repository. 3. Replace all files with the new version. 4. Verify the application functions correctly.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side input validation and proper output encoding for all user-controllable data
Content Security Policy
allImplement a strict Content Security Policy header to limit script execution
Header set Content-Security-Policy "default-src 'self'; script-src 'self'" in Apache .htaccess or equivalent
🧯 If You Can't Patch
- Implement web application firewall rules to block XSS payloads
- Restrict authenticated user privileges to minimize potential damage
🔍 How to Verify
Check if Vulnerable:
Check if running Genealogy version earlier than 4.4.0. Review application files for lack of proper input sanitization in user-controllable fields.Check Version:
Check the application's version file or configuration, typically in a version.php or similar file in the root directory.Verify Fix Applied:
Verify version is 4.4.0 or later. Test user input fields with basic XSS payloads like <script>alert('test')</script> to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests with script tags or JavaScript code in parameters
- Multiple failed login attempts followed by successful authentication and suspicious activity
Network Indicators:
- HTTP requests containing script tags or JavaScript in POST parameters
- Unusual outbound connections from the application server
SIEM Query:
source="web_server_logs" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=") AND status=200