Login Sign Up

CVE-2025-65231

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

Barix Instreamer v04.06 and earlier contains a stored cross-site scripting (XSS) vulnerability in the Web UI's I/O & Serial configuration page. Attackers can inject malicious scripts via the CTS close command field, which are then executed when the Status page loads. This affects administrators and users accessing the vulnerable web interface.

💻 Affected Systems

Products:
  • Barix Instreamer
Versions: v04.06 and earlier
Operating Systems: Embedded/Linux-based
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to the Web UI configuration page, which typically requires authentication.

📦 What is this software?

Instreamer Firmware by Barix

View all CVEs affecting Instreamer Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator session cookies, perform actions as the administrator, or redirect users to malicious sites, potentially leading to full device compromise.

🟠

Likely Case

Attackers with access to the configuration page could inject scripts that steal credentials or session tokens from administrators viewing the Status page.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to the configuration page but uses simple XSS payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://help.barix.com/instreamer/user-manual

Restart Required: No

Instructions:

Check vendor website for security updates. If available, download and apply the latest firmware version following Barix's update procedures.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and sanitization of user input in the CTS close command field.

Output Encoding

all

Apply proper output encoding when rendering user-controlled data on the Status page.

🧯 If You Can't Patch

  • Restrict access to the Web UI using network segmentation and firewall rules.
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Access the Web UI, navigate to I/O & Serial configuration, and attempt to inject a simple XSS payload like <script>alert('XSS')</script> in the CTS close command field. Then check if it executes on the Status page.

Check Version:

Check the firmware version in the Web UI's system information or status page.

Verify Fix Applied:

After applying fixes, repeat the injection test to confirm the payload is sanitized and does not execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual input patterns in configuration logs, especially script tags or JavaScript in CTS close command fields.

Network Indicators:

  • HTTP requests containing XSS payloads to configuration endpoints.

SIEM Query:

source="web_logs" AND (uri="/config/io_serial" OR uri="/status") AND (message CONTAINS "<script>" OR message CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-65231
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (15.6th percentile)
Published: December 8, 2025
Last Updated: December 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65231, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)