PT-2025-46825 · Unknown · Xcally Omnichannel
Published
2025-11-13
·
Updated
2025-11-13
·
CVE-2025-40681
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
xCally Omnichannel version 3.30.1
Description
A cross-site scripting (XSS) issue exists in xCally's Omnichannel version 3.30.1. The issue allows an attacker to execute JavaScript code in a victim’s browser. This is achieved by sending a malicious URL containing a crafted payload through the
failureMessage parameter in the '/login' API endpoint. Successful exploitation could lead to the theft of sensitive user data, such as session cookies, or the ability to perform actions on behalf of the user.Recommendations
Update xCally Omnichannel to a version that addresses this issue. As a temporary workaround, sanitize the
failureMessage parameter in the '/login' API endpoint to prevent the injection of malicious scripts.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xcally Omnichannel