CVE Catalog

CVE-2025-55887

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile - higher than 33% of all known CVEs

Summary

A Cross-Site Scripting (XSS) vulnerability was discovered in the ARD meal reservation service. The vulnerability exists in the transactionID GET parameter on the transaction confirmation page. Due to improper input validation and output encoding, an attacker can inject malicious JavaScript code that executes in the user's browser.

Risk Assessment

An attacker can hijack user sessions, steal cookies, and perform other malicious actions on behalf of the victim, potentially leading to data confidentiality breaches and system integrity compromise.

Recommendation

Immediately update the ARD service to the latest version that includes fixes for input validation and output encoding. In the meantime, implement filtering of the transactionID parameter and apply Content Security Policy (CSP) headers.

Original NVD description (English source)

Cross-Site Scripting (XSS) vulnerability was discovered in the meal reservation service ARD. The vulnerability exists in the transactionID GET parameter on the transaction confirmation page. Due to improper input validation and output encoding, an attacker can inject malicious JavaScript code that is executed in the context of a user s browser. This can lead to session hijacking, theft of cookies, and other malicious actions performed on behalf of the victim.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS