CVE-2025-1175

Name of the Vulnerable Software and Affected Versions Kelio Visio 1 versions 3.2C through 5.1K Kelio Visio X7 versions 3.2C through 5.1K Kelio Visio X4 versions 3.2C through 5.1K

Description The issue is a Reflected Cross-Site Scripting (XSS) vulnerability that could allow an attacker to execute a JavaScript payload by making a POST request and injecting malicious code into the editable username parameter of the "/PageLoginVisio.do" endpoint.

Recommendations For Kelio Visio 1 versions 3.2C through 5.1K, consider disabling the editable username parameter in the "/PageLoginVisio.do" endpoint until a patch is available. For Kelio Visio X7 versions 3.2C through 5.1K, restrict access to the "/PageLoginVisio.do" endpoint to minimize the risk of exploitation. For Kelio Visio X4 versions 3.2C through 5.1K, avoid using the username parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.