CVE-2025-22373

XSS, HTML and Style injection on login page

CVE

CVE-2025-22373

Title

XSS, HTML and Style injection on login page

Case

DIVD-2025-00001

Credits

Jesse Meijer (DIVD) (finder)
Frank Breedijk (DIVD) (analyst)

Affected products

Product	Affected	Unaffected	Unknown
SicommNet BASEC on SaaS	>= 14 Dec 2021 to < * (custom)
SicommNet BASEC on SaaS			everything else

CVSS

Base score	8.7 - HIGH
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	NONE
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	NONE
Integrity Impact
Vulnerable system	HIGH	Subsequent systems	NONE
Availability Impact
Vulnerable system	HIGH	Subsequent systems	NONE
Safety impact	NOT_DEFINED
Automatable	YES
Recovery	NOT_DEFINED
Value Density	CONCENTRATED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://basec.sicomm.net/login/ ( product )
https://csirt.divd.nl/DIVD-2025-00001 ( third-party-advisory )
https://csirt.divd.nl/CVE-2025-22373 ( third-party-advisory )

Problem type(s)

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Impact(s)

Exploit(s)

Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised.

Date published

12 Apr 2025 00:00 UTC

Last modified

15 Apr 2025 10:38 UTC

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SicommNet BASEC on SaaS allows Reflected XSS, XSS Through HTTP Query Strings, Rendering of Arbitrary HTML and alternation of CSS Styles

This issue affects BASEC: from 14 Dec 2021.

JSON version.

DIVD CSIRT

CVE-2025-22373

XSS, HTML and Style injection on login page

Description