Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-66258

Severity CVSS v4.0:
HIGH
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
26/11/2025
Last modified:
26/11/2025

Description

Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml.<br /> User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `.bin`). The XSS executes when ajax.js processes and renders the XML file.

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): None
User Interaction (UI): Passsive
Confidentiality (VC): High
Integrity (VI): Low
Availability (VA): Low
Confidentiality (SC): High
Integrity (SI): None
Availability (SA): None

Base Score 4.0
7.10
Severity 4.0
HIGH

References to Advisories, Solutions, and Tools