Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Reflected Cross-Site Scripting (XSS) in WebWork

Posted date 08/09/2025
Identificador
INCIBE-2025-0475
Importance
3 - Medium
Affected Resources

WebWork.

Description

INCIBE has coordinated the publication of a medium-severity vulnerability affecting WebWork, a search engine PHP script. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

  • CVE-2025-40642: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

The manufacturer has fixed the reported vulnerability.

Detail

CVE-2025-40642: reflected Cross-Site Scripting (XSS) vulnerability in WebWork, which allows remote attackers to execute arbitrary code through the 'q' and 'engine' request parameters in /search.

CVE
Explotación
No
References list
WebWork - PHP Search Engine Script
Etiquetas