Overview
CVE-2025-66561 details a critical security vulnerability affecting SysReptor, a popular pentest reporting platform. Specifically, it is a Stored Cross-Site Scripting (XSS) vulnerability that could allow authenticated users to inject malicious JavaScript into the system, potentially impacting other users’ accounts and data. This vulnerability has been assigned a CVSS score of 7.3, indicating a high level of severity.
This advisory highlights the importance of keeping your SysReptor instance up-to-date to protect against this type of attack.
Technical Details
The Stored XSS vulnerability (CVE-2025-66561) exists within SysReptor versions prior to 2025.102. An authenticated user with the necessary permissions to upload files (likely related to report customization or asset management) can upload a malicious JavaScript file via the web UI. This JavaScript code is then stored on the server. When another user (e.g., an administrator or another pentester) views or interacts with the content where the injected JavaScript is displayed, the script executes in their browser. This allows the attacker to:
- Steal session cookies, potentially leading to account takeover.
- Modify the content of the SysReptor interface as viewed by the victim.
- Redirect the user to a malicious website.
- Execute other malicious actions within the context of the victim’s session.
The attack vector involves uploading the crafted JavaScript file, which is then persistently stored and executed when accessed by another user within the application.
CVSS Analysis
- CVE ID: CVE-2025-66561
- Severity: HIGH
- CVSS Score: 7.3
A CVSS score of 7.3 signifies a high severity vulnerability. While the attack requires authentication, the potential impact is significant, as it allows for arbitrary code execution within the context of other users, including those with higher privileges.
Possible Impact
The successful exploitation of this vulnerability can lead to several serious consequences:
- Account Takeover: Attackers can steal user session cookies and hijack accounts, gaining unauthorized access to sensitive pentest data and reports.
- Data Breach: Attackers can access and potentially exfiltrate sensitive information stored within SysReptor, including customer data, vulnerability assessments, and pentest results.
- Defacement: The SysReptor interface can be defaced, disrupting the platform’s usability and potentially damaging the organization’s reputation.
- Phishing: Users can be redirected to phishing websites designed to steal credentials or install malware.
Mitigation or Patch Steps
The vulnerability is fixed in SysReptor version 2025.102. To mitigate this risk, it is strongly recommended that all users upgrade to version 2025.102 or later as soon as possible.
If upgrading immediately is not feasible, consider the following temporary mitigations:
- Review and restrict user permissions related to file uploads. Only grant these permissions to trusted users.
- Monitor SysReptor logs for suspicious activity, such as unusual file uploads or unexpected JavaScript execution.
However, these mitigations are only temporary and should not be considered a replacement for upgrading to the patched version.
