Stored Cross-Site Scripting (XSS) in Sesame web application
Sesametime.
INCIBE has coordinated the publication of a medium-severity vulnerability affecting the Sesame web application, an employee management application. The vulnerability was discovered by Miguel Jiménez Cámara.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-41084: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
There is no solution reported at this time.
CVE-2025-41084: stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the 'logo' parameter in '/api/v3/companies/<ID>/logo', which are then stored on the server and executed in the context of any user who accesses the compromised resource.
