CVE-2025-7761 | THREATINT

Description

Lepszy BIP is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in index.php form in one of the parameters allows arbitrary JavaScript to be executed on victim's browser when specially crafted URL is opened. The vendor was contacted early about this disclosure but did not respond in any way. Potentially all versions are vulnerable.

PUBLISHED Reserved 2025-07-17 | Published 2025-08-14 | Updated 2025-08-14 | Assigner CERT-PL

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unknown

Any version

affected

Credits

Kamil Szczurowski finder

Robert Kruczek finder

References

cert.pl/posts/2025/07/CVE-2025-7761 third-party-advisory

www.lepszybip.pl/ product

cve.org (CVE-2025-7761)

nvd.nist.gov (CVE-2025-7761)

Download JSON