CVE-2025-59715
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in SMSEagle allows attackers to inject malicious scripts via username or contact phone number fields. When users interact with these fields, the scripts execute in their browser context, potentially stealing session cookies or performing unauthorized actions. All SMSEagle installations before version 6.11 are affected.
💻 Affected Systems
- SMSEagle
📦 What is this software?
Smseagle by Smseagle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to the SMSEagle device, send unauthorized SMS messages, modify configurations, or pivot to internal networks.
Likely Case
Attackers would typically steal session cookies to impersonate legitimate users, potentially sending unauthorized SMS messages or accessing limited functionality based on the compromised account's privileges.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires user interaction with malicious links containing the XSS payload. The attacker needs to trick a user into clicking a specially crafted link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.11
Vendor Advisory: https://www.smseagle.eu/security-advisory/resolved-xss-in-smseagle-software-6-11/
Restart Required: No
Instructions:
1. Log into SMSEagle web interface as administrator. 2. Navigate to System > Update. 3. Check for available updates. 4. Apply update to version 6.11 or later. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Web Application Firewall Rule
allDeploy WAF rules to block requests containing XSS payload patterns in username and phone number parameters
Content Security Policy Implementation
allImplement strict CSP headers to prevent inline script execution and restrict script sources
🧯 If You Can't Patch
- Restrict SMSEagle web interface access to trusted IP addresses only using firewall rules
- Implement additional authentication layers and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check SMSEagle version in web interface under System > About. If version is below 6.11, the system is vulnerable.Check Version:
No CLI command available. Check via web interface at System > About or via API if configured.Verify Fix Applied:
After updating, verify version is 6.11 or higher and test username/phone fields with basic XSS payloads like <script>alert('test')</script> to ensure they're properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual login attempts following suspicious URL parameters
- Multiple failed login attempts with malformed usernames containing script tags
Network Indicators:
- HTTP requests containing script tags or JavaScript in username/phone parameters
- Unusual outbound connections following user interaction with SMSEagle
SIEM Query:
source="smseagle" AND (uri="*<script*" OR uri="*javascript:*" OR user_agent="*<script*")