[Update 07/07/2025] Stored Cross-Site Scripting (XSS) in CronosWeb by i2A
CronosWeb , 23.02.01.17 version.
INCIBE has coordinated the publication of a medium severity vulnerability affecting CronosWeb from i2A, a software for the management of sports centers and access control. The vulnerability was discovered by David Padilla Alvarado.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability CWE type:
- CVE-2025-40663: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
[Update 07/07/2025]
The vulnerability has been resolved by the i2A team in the first 2024 release of CronosWeb (versions 24.00 and later).
Currently, no users are on version 23.02, all are on version 24.00 or higher, so the vulnerability is not exploitable.
CVE-2025-40663: stored Cross-Site Scripting (XSS) vulnerability in CronosWeb version 23.02.01.17, from i2A. It allows an authenticated attacker to upload a malicious SVG image into the user's personal space in /CronosWeb/Modules/Persons/PersonalDocuments/PersonalDocuments.