{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1076", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2025-02-06T10:26:29.876Z", "datePublished": "2025-02-06T13:33:07.077Z", "dateUpdated": "2025-02-13T13:47:45.237Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Holded", "vendor": "Holded", "versions": [{"status": "affected", "version": "all versions"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jes\u00fas Alcalde Alc\u00e1zar"}, {"lang": "en", "type": "finder", "value": "Diego Le\u00f3n Casas"}], "datePublic": "2025-02-06T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \u2018name\u2019 and \u2018icon\u2019 parameters of the Activities functionality."}], "value": "A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \u2018name\u2019 and \u2018icon\u2019 parameters of the Activities functionality."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-02-13T13:47:45.237Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-vulnerability-holded"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The reported vulnerability was fixed on 2 May 2024. The CSP (Content Security Policy) configuration implemented by Holded is designed to prevent the execution of inline scripts and restrict the uploading of scripts only to domains specified in its whitelist. This effectively mitigates script injection, as is the case with this vulnerability. There is currently no active risk associated with this vulnerability in the Holded platform."}], "value": "The reported vulnerability was fixed on 2 May 2024. The CSP (Content Security Policy) configuration implemented by Holded is designed to prevent the execution of inline scripts and restrict the uploading of scripts only to domains specified in its whitelist. This effectively mitigates script injection, as is the case with this vulnerability. There is currently no active risk associated with this vulnerability in the Holded platform."}], "source": {"discovery": "EXTERNAL"}, "title": "Stored Cross-Site Scripting vulnerability in Holded", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-06T14:15:13.488168Z", "id": "CVE-2025-1076", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-06T14:15:20.787Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1076", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-06T14:15:13.488168Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-06T14:15:17.104Z"}}], "cna": {"title": "Stored Cross-Site Scripting vulnerability in Holded", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jes\u00fas Alcalde Alc\u00e1zar"}, {"lang": "en", "type": "finder", "value": "Diego Le\u00f3n Casas"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Holded", "product": "Holded", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The reported vulnerability was fixed on 2 May 2024. The CSP (Content Security Policy) configuration implemented by Holded is designed to prevent the execution of inline scripts and restrict the uploading of scripts only to domains specified in its whitelist. This effectively mitigates script injection, as is the case with this vulnerability. There is currently no active risk associated with this vulnerability in the Holded platform.", "supportingMedia": [{"type": "text/html", "value": "The reported vulnerability was fixed on 2 May 2024. The CSP (Content Security Policy) configuration implemented by Holded is designed to prevent the execution of inline scripts and restrict the uploading of scripts only to domains specified in its whitelist. This effectively mitigates script injection, as is the case with this vulnerability. There is currently no active risk associated with this vulnerability in the Holded platform.", "base64": false}]}], "datePublic": "2025-02-06T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-vulnerability-holded"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \u2018name\u2019 and \u2018icon\u2019 parameters of the Activities functionality.", "supportingMedia": [{"type": "text/html", "value": "A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \u2018name\u2019 and \u2018icon\u2019 parameters of the Activities functionality.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-02-13T13:47:45.237Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1076", "state": "PUBLISHED", "dateUpdated": "2025-02-13T13:47:45.237Z", "dateReserved": "2025-02-06T10:26:29.876Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2025-02-06T13:33:07.077Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable \u2018name\u2019 and \u2018icon\u2019 parameters of the Activities functionality."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de Cross-Site Scripting (Stored XSS) Almacenado en la aplicaci\u00f3n Holded. Esta vulnerabilidad podr\u00eda permitir a un atacante almacenar un payload de JavaScript dentro de los par\u00e1metros editables \"nombre\" e \"icono\" de la funcionalidad Actividades."}], "id": "CVE-2025-1076", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2025-02-06T14:15:30.287", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-vulnerability-holded"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}

{}

{}