[Update 07/07/2025] Stored Cross-Site Scripting (XSS) in CronosWeb by i2A

Posted date 26/05/2025
Identificador
INCIBE-2025-0269
Importance
3 - Medium
Affected Resources

CronosWeb , 23.02.01.17 version.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting CronosWeb from i2A, a software for the management of sports centers and access control. The vulnerability was discovered by David Padilla Alvarado.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability CWE type:

  • CVE-2025-40663: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
Detail

CVE-2025-40663: stored Cross-Site Scripting (XSS) vulnerability in CronosWeb version 23.02.01.17, from i2A. It allows an authenticated attacker to upload a malicious SVG image into the user's personal space in /CronosWeb/Modules/Persons/PersonalDocuments/PersonalDocuments.

Etiquetas