CVE-2025-25189

Name of the Vulnerable Software and Affected Versions ZOO-Project versions prior to commit 7a5ae1a

Description The issue is related to a reflected Cross-Site Scripting vulnerability in the ZOO-Project Web Processing Service (WPS) publish.py CGI script. This vulnerability occurs because the script reflects user input from the jobid parameter in its HTTP response without proper HTML encoding or sanitization, allowing an attacker to inject malicious JavaScript code. When a victim visits a specially crafted URL pointing to this endpoint, arbitrary JavaScript code can be executed in their browser context.

Recommendations As a temporary workaround, consider disabling the jobid parameter in the publish.py CGI script until a patch is available. Restrict access to the publish.py CGI script to minimize the risk of exploitation. Avoid using the jobid parameter in the affected endpoint until the issue is resolved. Update to a version that includes the fix provided in commit 7a5ae1a to resolve the issue.