Reflected Cross-Site Scripting (XSS) in Governalia by IDI Eikon
Governalia, versions prior to 1274.
INCIBE has coordinated the publication of a medium-severity vulnerability affecting Governalia by IDI Eikon, software designed for public administrations to provide online services to citizens. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-40700: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The vulnerability has been fixed by the IDI Eikon team in version 1274.
CVE-2025-40700: reflected Cross-Site Scripting (XSS) in IDI Eikon's Governalia. The vulnerability allows an attacker to execute JavaScript code in the victim's browser when a malicious URL with the 'q' parameter in '/search' is sent to them. This vulnerability can be exploited to steal sensitive information such as session cookies or to perform actions on behalf of the victim.
