CVE-2025-41021

Name of the Vulnerable Software and Affected Versions Sergestec Exito version 8.0

Description A stored Cross-Site Scripting (XSS) issue exists in Sergestec Exito version 8.0. The issue is due to insufficient validation of user-supplied data. A malicious user can exploit this by sending a POST request with a crafted payload through the obs parameter in the '/admin/index.php?action=product update' API endpoint. Successful exploitation could allow an attacker to steal cookie session details from authenticated users.

Recommendations Apply input validation and sanitization to the obs parameter in the '/admin/index.php?action=product update' API endpoint.