CVE-2025-56313

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-56313

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-56313.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-56313

Published

2025-10-30T18:15:32Z

Modified

2025-11-06T01:21:02.980211Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 (inclusive). This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an authenticated admin user accesses the study's URL, the malicious script gets interpreted and executes within their browser, which can lead to unauthorized actions, account compromise, and privilege escalation.

References

Affected packages

Git / github.com/jatos/jatos

Affected ranges

Type: GIT
Repo: https://github.com/jatos/jatos
Events: Introduced

3c8c0bc2332522dbaae60f2516c5932cba7e6fa3

Last affected

73d3631eb595cd4547725508e34fd4654b7e6f7a

Affected versions

v3.*

v3.7.1

v3.7.2

v3.7.3

v3.7.3-alpha

v3.7.4

v3.7.4-alpha

v3.7.5

v3.7.5-alpha

v3.7.6

v3.8.1

v3.8.1-alpha

v3.8.2

v3.8.3

v3.8.4

v3.8.5

v3.8.5-alpha

v3.8.6

v3.9.1

v3.9.1-alpha

v3.9.2

v3.9.3

v3.9.4

v3.9.5

v3.9.6