CVE-2025-63243

Name of the Vulnerable Software and Affected Versions Pixeon WebLaudos version 25.1 (01)

Description A reflected cross-site scripting (XSS) issue exists in the password change functionality. An attacker can create a malicious URL that, when opened by a user, causes arbitrary JavaScript code to run in the user’s browser within the security context of the application. The sle sSenha parameter of the /loginAlterarSenha.asp API endpoint is vulnerable. This could allow attackers to steal session cookies, reveal sensitive information, perform actions without authorization, or carry out phishing attacks.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider carefully validating and sanitizing the sle sSenha parameter in the /loginAlterarSenha.asp endpoint to prevent the injection of malicious scripts.