CVE-2025-11682 | THREATINT

Description

Stored cross-site scripting (XSS) vulnerability in the LMT Dashboard of the Perx Customer Engagement & Loyalty Platform allows an authenticated attacker to execute arbitrary JavaScript code in a victim's browser. The vulnerability is due to improper sanitization of SVG file uploads. An attacker can upload a malicious SVG file containing a script payload to a campaign. When another user views this image on the public LMT microsite, the script executes, which can lead to session hijacking, data theft, or other unauthorized actions.This issue affects Customer Engagement & Loyalty Platform before 4.617.4.

PUBLISHED Reserved 2025-10-13 | Published 2025-10-27 | Updated 2025-10-27 | Assigner NCSC.ch

HIGH: 7.1CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

CWE-83: Improper Neutralization of Script in Attributes in a Web Page

Product status

Default status

unaffected

Any version before 4.617.4

affected

References

www.redguard.ch/blog/2025/10/27/advisory-perx-lmt-dashboard/

cve.org (CVE-2025-11682)

nvd.nist.gov (CVE-2025-11682)

Download JSON