CVE-2025-61074 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-61074?

CVE-2025-61074 has a CVSS score of 4.6 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in the adata Software GmbH Mitarbeiter Portal bulletin board allows authenticated attackers to inject malicious JavaScript into bulletin board messages. When other users view these messages, their browsers execute the attacker's code, potentially compromising their sessions or stealing sensitive data. This affects authenticated users of the Mitarbeiter Portal version 2.15.2.0.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in the adata Software GmbH Mitarbeiter Portal bulletin board allows authenticated attackers to inject malicious JavaScript into bulletin board messages. When other users view these messages, their browsers execute the attacker's code, potentially compromising their sessions or stealing sensitive data. This affects authenticated users of the Mitarbeiter Portal version 2.15.2.0.

💻 Affected Systems

Products:

adata Software GmbH Mitarbeiter Portal

Versions: 2.15.2.0

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the SchwarzeBrett (bulletin board) module. Requires authenticated user access.

📦 What is this software?

Mitarbeiter Portal by Adata

View all CVEs affecting Mitarbeiter Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as other users, redirect to malicious sites, or install malware on victim browsers.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the bulletin board content.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented.

🌐 Internet-Facing: MEDIUM - Requires authentication but can affect any user accessing the portal externally.

🏢 Internal Only: HIGH - Internal authenticated users can exploit this against colleagues, potentially escalating privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation involves simple manipulation of the 'Inhalt' parameter in CreateNachricht or EditNachricht requests. Public details available in the reference link.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.adata.de/mitarbeiter-portal/

Restart Required: No

Instructions:

Check vendor website for security updates. If unavailable, implement input validation and output encoding in the SchwarzeBrett module.

🔧 Temporary Workarounds

Implement Content Security Policy (CSP)

all

Add a CSP header to restrict script execution to trusted sources only.

Add 'Content-Security-Policy: script-src 'self';' to HTTP headers

Disable Bulletin Board Module

all

Temporarily disable the SchwarzeBrett module if not essential.

Disable via application configuration or remove module access

🧯 If You Can't Patch

Implement strict input validation on the 'Inhalt' parameter to reject HTML/JavaScript content.
Apply output encoding to all user-generated content displayed in the bulletin board.

🔍 How to Verify

Check if Vulnerable:

Test by submitting a bulletin board message with a simple XSS payload like <script>alert('test')</script> and check if it executes when viewed.

Check Version:

Check application version in admin panel or configuration files; specific command depends on deployment.

Verify Fix Applied:

After fixes, repeat the test to ensure the payload is sanitized and does not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /SchwarzeBrett/Nachrichten/CreateNachricht or /SchwarzeBrett/Nachrichten/EditNachricht/ with script tags in parameters

Network Indicators:

HTTP traffic containing JavaScript in 'Inhalt' parameter values

SIEM Query:

source="web_logs" AND (url="/SchwarzeBrett/Nachrichten/CreateNachricht" OR url="/SchwarzeBrett/Nachrichten/EditNachricht/") AND (param="Inhalt" AND value MATCHES "<script.*>")

📊 Metadata

CVE ID: CVE-2025-61074

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (13.3th percentile)

Published: December 9, 2025

Last Updated: January 14, 2026

🔗 References

https://no-sec.net/posts/cve-2025-61074/ Exploit,Third Party Advisory
https://www.adata.de/mitarbeiter-portal/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61074, you might also want to check these: