Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Cross-Site Scripting (XSS) in xCally Omnichannel

Posted date 13/11/2025
Identificador
INCIBE-2025-0632
Importance
3 - Medium
Affected Resources

Omnichannel, version 3.30.1.

Description

INCIBE has coordinated the publication of 1 medium-severity vulnerability, which affects xCally's Omnichannel, an omnichannel software for contacts centers. This vulnerability was discovered by Adrià Alavedra Palacios.

This vulnerability has been assigned the following code, CVS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2025-40681: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

There is no solution reported at this time.

Detail

CVE-2025-40681: Cross-site Scripting (XSS) vulnerability reflected in xCally's Omnichannel v3.30.1. This vulnerability allowsan attacker to executed JavaScript code in the victim's browser by sending them a malicious URL using the 'failureMessage' parameter in '/login'. This vulnerability can be exploited to steal sentitive user data, such as session cookies , or to perform actions on behalf of the user.

CVE
Explotación
No
Nuevo Fabricante
xCally
Identificador CVE
CVE-2025-40681
Severidad
Media
References list
XCALLY Omnichannel Call Center SoftwareXCALLY Omnichannel Call Center Software
Etiquetas