CVE-2025-65300
low-risk
Published 2025-12-09
A stored Cross-Site Scripting (XSS) vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) in the Account Settings module, where unsanitized user input in Address fields (City, State, Country/Region) is rendered back to the page. Attackers can inject arbitrary JavaScript code, which executes when the affected profile page is viewed. This can lead to session hijacking, cookie theft, or arbitrary script execution in the victim's browser.
Do I need to act?
-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Coohom
Affected Vendors
References (3)
Third Party Advisory
https://gist.github.com/garux-sec/ec9a6b6e7e4b617b7245ec18252a6377
Permissions Required
https://www.coohom.com/pub/saas/settings/account
Third Party Advisory
https://gist.github.com/garux-sec/ec9a6b6e7e4b617b7245ec18252a6377
26
/ 100
low-risk
Severity
21/34 · High
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal