CVE-2025-1888

Name of the Vulnerable Software and Affected Versions: Aperio Eslide Manager Application (affected versions not specified)

Description: The issue concerns reflected cross-site scripting (XSS) within the Leica Web Viewer component of the Aperio Eslide Manager Application. An authenticated user can inject malicious JavaScript into the memo field, which is executed when a user hovers over the field to view the memo associated with a slide, utilizing a Microsoft Tool Tip. This allows for the execution of malicious JavaScript code.

Recommendations: For the Aperio Eslide Manager Application, consider disabling the hover-over action for the memo field until a patch is available to prevent the execution of malicious JavaScript code. Restrict access to the Leica Web Viewer component to minimize the risk of exploitation. Avoid using the memo field in the Leica Web Viewer until the issue is resolved.