Listen to this Post
The reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-59905, resides in the Kubysoft ERP platform. It specifically exists within the endpoint `/node/kudaby/nodeFN/procedure` . The vulnerability stems from the application’s failure to properly neutralize user-controlled input across multiple parameters accessible via this endpoint . When a crafted request containing malicious script code is sent to this URL, the server immediately reflects this input back to the user in the subsequent HTTP response without proper sanitization or encoding . Consequently, the victim’s browser executes the injected script in the context of the Kubysoft application. An attacker typically exploits this by tricking a victim into clicking a specially crafted link, leading to the execution of the attacker’s script. This allows for actions such as session hijacking by stealing cookies or performing unauthorized actions on behalf of the authenticated user . Discovered by David Padilla Alvarado, the vulnerability affects all versions of Kubysoft prior to the vendor-supplied fix . The attack requires low privileges and user interaction, with a CVSS v4.0 base score of 4.8, indicating a medium severity .
DailyCVE Form:
Platform: Kubysoft ERP
Version: All versions
Vulnerability : Reflected XSS
Severity: MEDIUM (4.8)
date: 2026-02-16
Prediction: Patch already available
What Undercode Say:
Analytics:
- EPSS Score: 0.02% (3rd percentile)
- CWE: 79 (Improper Neutralization of Input)
- Attack Vector: Network
- User Interaction: Required
Exploit:
Basic Proof of Concept
This URL injects a JavaScript alert box to demonstrate reflection
curl "https://[KUBYSOFT-INSTANCE]/node/kudaby/nodeFN/procedure?param1=<script>alert('XSS_CVE-2025-59905')</script>¶m2=test"
<!-- Malicious link to be sent to a victim --> <a href="https://[VICTIM-INSTANCE]/node/kudaby/nodeFN/procedure?parameter=<svg onload=alert(document.cookie)>">Click here for your invoice</a>
Protection from this CVE:
1. Update Kubysoft to the latest patched version immediately 2. Implement a Content Security Policy (CSP) header to mitigate script execution Example Apache configuration: Header set Content-Security-Policy "default-src 'self'; script-src 'self';" 3. Sanitize all user input with context-aware output encoding 4. Set HttpOnly and Secure flags for session cookies Example: Set-Cookie: sessionid=value; HttpOnly; Secure; SameSite=Strict 5. Validate and sanitize all parameters passed to the vulnerable endpoint
Impact:
Successful exploitation allows arbitrary JavaScript execution in a victim’s browser. This leads to session hijacking, credential theft, defacement of the web application, and potential redirection to malicious sites. As Kubysoft is an ERP platform, this could expose sensitive financial data, customer information, and facilitate internal fraud .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
