CVE-2025-11952

Name of the Vulnerable Software and Affected Versions Oct8ne Chatbot version 2.3

Description A stored cross-site scripting (XSS) issue exists in Oct8ne Chatbot version 2.3. This allows an attacker to execute JavaScript code in a victim’s browser by injecting a malicious payload through the creation of a transcript sent by email. Exploitation can lead to the theft of sensitive user data, such as session cookies, or actions performed on behalf of the user. The attack vector involves the /Records/SendSummaryMail API endpoint.

Recommendations Update Oct8ne Chatbot to a newer version that addresses this issue. As a temporary workaround, sanitize all user-supplied input before it is stored or displayed to prevent the injection of malicious scripts. Restrict access to the /Records/SendSummaryMail endpoint to authorized users only.