CVE-2025-30036 | THREATINT

Description

Stored XSS vulnerability exists in the "Oddział" (Ward) module, in the death diagnosis description field, and allows the execution of arbitrary JavaScript code. This can lead to session hijacking of other users and potentially to privilege escalation up to full administrative rights.

PUBLISHED Reserved 2025-03-14 | Published 2025-08-27 | Updated 2025-08-27 | Assigner CERT-PL

HIGH: 8.8CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

unaffected

Any version before 2024.MS4

affected

Credits

Maciej Kazulak finder

References

cert.pl/en/posts/2025/08/CVE-2025-2313/

cve.org (CVE-2025-30036)

nvd.nist.gov (CVE-2025-30036)

Download JSON