CVE-2025-63416 — CRITICAL (9.1)

Vulnerability Description

** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute arbitrary JavaScript in the context of other users' sessions. This can be exploited to access administrative data and functions, leading to privilege escalation and full compromise of sensitive user data, as demonstrated by the ability to fetch and exfiltrate the contents of the /admin/users endpoint.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Selfbest	Selfbest	2023.3

Related Weaknesses (CWE)

CWE-79

References

https://rohitchaudhary045.medium.com/cve-2025-63416-the-admin-panel-heist-storedExploitMitigationThird Party Advisory
https://self.bestProduct

FAQ

What is CVE-2025-63416?

CVE-2025-63416 is a vulnerability with a CVSS score of 9.1 (CRITICAL). ** exclusively-hosted-service ** A Stored Cross-Site Scripting (XSS) vulnerability in the chat functionality of the SelfBest platform 2023.3 allows authenticated low-privileged attackers to execute ar...

How severe is CVE-2025-63416?

CVE-2025-63416 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-63416?

Check the references section above for vendor advisories and patch information. Affected products include: Selfbest Selfbest.