Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Stored Cross-Site Scripting (XSS) in i2A-Cronos by i2A

Posted date 26/05/2025
Identificador
INCIBE-2025-0269
Importance
3 - Medium
Affected Resources

Cronos, 23.02.01.17 version.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting i2A-Cronos from i2A, a software for the management of sports centers and access control. The vulnerability was discovered by David Padilla Alvarado.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability CWE type:

  • CVE-2025-40663: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

There is no reported solution at this time.

Detail

CVE-2025-40663: stored Cross-Site Scripting (XSS) vulnerability in i2A-Cronos version 23.02.01.17, from i2A. It allows an authenticated attacker to upload a malicious SVG image into the user's personal space in /CronosWeb/Modules/Persons/PersonalDocuments/PersonalDocuments.
There is no reported fix at this time.

References list
i2A - Manufacturer's website
Etiquetas