[Update 20/10/2025] Stored Cross-Site Scripting (XSS) in Oct8ne Chatbot
- Chatbot v2.3.
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Oct8ne Chatbot, a solution aimed at online shops (e-commerce) and customer service. The vulnerabilities were discovered by Javier Hernández and José Manuel Jerónimo.
This vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-10869: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
- CVE-2025-11952: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The vulnerabilities have been fixed by the Oct8ne team in the latest version.
Stored Cross-Site Scripting (XSS) in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
The list of exploited endpoints and assigned CVEs is as follows:
- CVE-2025-10869: '/Data/SaveInteractions' (discovered by Javier Hernández and José Manuel Jerónimo);
- CVE-2025-11952: '/Records/SendSummaryMail' (discovered by José Manuel Jerónimo).
