CVE-2025-55888 — HIGH (7.3)

Vulnerability Description

Cross-Site Scripting (XSS) vulnerability was discovered in the Ajax transaction manager endpoint of ARD. An attacker can intercept the Ajax response and inject malicious JavaScript into the accountName field. This input is not properly sanitized or encoded when rendered, allowing script execution in the context of users browsers. This flaw could lead to session hijacking, cookie theft, and other malicious actions.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Ard	Gec En Ligne	-

Related Weaknesses (CWE)

CWE-79

References

http://alpes.comBroken Link
http://ard.comBroken Link
https://github.com/0xZeroSec/CVE-2025-55888Exploit
https://services.ard.fr/?eID=tx_afereload_ajax_transactionmanagerProduct

FAQ

What is CVE-2025-55888?

CVE-2025-55888 is a vulnerability with a CVSS score of 7.3 (HIGH). Cross-Site Scripting (XSS) vulnerability was discovered in the Ajax transaction manager endpoint of ARD. An attacker can intercept the Ajax response and inject malicious JavaScript into the accountNam...

How severe is CVE-2025-55888?

CVE-2025-55888 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-55888?

Check the references section above for vendor advisories and patch information. Affected products include: Ard Gec En Ligne.