CVE-2025-65300
📋 TL;DR
A stored Cross-Site Scripting (XSS) vulnerability in the Coohom SaaS Platform allows attackers to inject malicious JavaScript into address fields (City, State, Country/Region). When users view affected profile pages, the injected code executes in their browsers, potentially leading to session hijacking or cookie theft. This affects users of the Coohom SaaS Platform with the vulnerable version.
💻 Affected Systems
- Coohom SaaS Platform
📦 What is this software?
Coohom by Coohom
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full platform access, compromise user accounts, and potentially pivot to internal systems.
Likely Case
Attackers steal user session cookies to hijack accounts, perform unauthorized actions, or steal sensitive data from user profiles.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized, preventing execution and limiting impact to data integrity issues.
🎯 Exploit Status
Exploitation requires an attacker to have an account or trick a user into submitting malicious input. The vulnerability is well-documented in public references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.coohom.com/pub/saas/settings/account
Restart Required: No
Instructions:
1. Monitor the vendor advisory URL for updates. 2. Apply any available patches from Coohom. 3. Test in a non-production environment first.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation to reject or sanitize malicious input in address fields.
Output Encoding
allApply proper HTML encoding when rendering user input in the Account Settings page.
🧯 If You Can't Patch
- Disable or restrict access to the Account Settings module for non-essential users.
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Test by entering a simple XSS payload like <script>alert('XSS')</script> into City, State, or Country/Region fields and check if it executes when viewing the profile.Check Version:
Check the platform version via the interface or API; look for feVersion=1760060603897.Verify Fix Applied:
Re-test with the same XSS payloads; they should be sanitized or encoded and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual or long strings in address field submissions
- Multiple failed validation attempts on address inputs
Network Indicators:
- HTTP requests containing script tags or JavaScript in address parameters
SIEM Query:
source="web_logs" AND (url_path="/account/settings" AND (param="city" OR param="state" OR param="country") AND param_value MATCHES "<script.*>.*</script>" OR "javascript:")