Reflected XSS in BEO Atlas Einfuhr-Ausfuhr 3.0 (CVE-2025-61427)

Critical Vulnerability Information Vulnerability Overview Vulnerability Name: Reflected Cross-Site Scripting (XSS) CVE ID: CVE-2025-61427 Affected Product: BEO Atlas Einfuhr-Ausfuhr 3.0 Discoverer: Lennard Kießling Disclosure Status: Patch veröffentlicht (Responsible Disclosure) Vulnerability Details Impact Scope: - Affected Version: BEO Atlas Einfuhr-Ausfuhr 3.0 Build/Release 20250328 (as of August 5, 2025) - Fix: Patch released on August 19, 2025 Technical Description Vulnerable Component: Login component Issue Description: The login component fails to properly escape or validate the and parameters, allowing attackers to execute arbitrary JavaScript code by crafting a malicious URL. Attack Scenario: 1. Attacker crafts a URL containing malicious script. 2. Victim clicks on the malicious link. 3. Browser loads the page and executes the script, potentially leading to session hijacking, page defacement, etc. Vulnerability Discovery Process Directory Scanning: Identified all publicly accessible paths. Page Selection: Chose pages designed as "old" or likely custom-developed for testing. Initial Testing: Checked input fields for SQL injection, XSS, and other issues. Reflected XSS Testing: Confirmed URL parameters are directly reflected into the DOM, enabling XSS attacks. Reporting & Fix: Vendor notified, and patch released. Timeline Vulnerability Discovery: During authorized assessment (internal records) Vendor Notification: Notified immediately after validation Patch Release: August 19, 2025 CVE Assignment: CVE-2025-61427 Public Description: October 31, 2025 Conclusion Even if an application is used internally, it may still be accessible from outside under certain conditions. Therefore, security testing should be conducted for potential external access points.

Goal Reached Thanks to every supporter — we hit 100%!

Reflected XSS in BEO Atlas Einfuhr-Ausfuhr 3.0 (CVE-2025-61427)