Plataforma
php
Componente
razgover
Corrigido em
37.0.1
CVE-2019-25262 describes a cross-site scripting (XSS) vulnerability discovered in Razgover, specifically within the Chattify/send.php file of the Chat Message Handler component. Successful exploitation allows remote attackers to inject malicious scripts, potentially compromising user sessions and data integrity. This vulnerability impacts versions of Razgover up to db37dfc5c82f023a40f2f7834ded6633fb2b5262. A patch (995dd89d0e3ec5522966724be23a5d58ca1bdac3) is available, and upgrading to version 37.0.1 is recommended.
The primary impact of CVE-2019-25262 is the potential for cross-site scripting (XSS) attacks. An attacker could inject malicious JavaScript code into the 'msg' argument of the Chattify/send.php endpoint. When a user views the affected page, the injected script executes in their browser context, allowing the attacker to steal cookies, redirect the user to a malicious website, or deface the application. The remote nature of the vulnerability means an attacker doesn't need to be authenticated to exploit it, significantly broadening the attack surface. This vulnerability shares similarities with other XSS flaws, where user-supplied input is not properly sanitized before being rendered in a web page, potentially leading to account takeover or data exfiltration.
CVE-2019-25262 has a CVSS score of 3.5 (LOW), indicating a relatively low probability of exploitation. There is no indication that this vulnerability is currently being actively exploited in the wild. Public proof-of-concept (PoC) code is not widely available. The vulnerability was published on 2025-12-31. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Razgover, particularly those relying on its Chat Message Handler component for internal communication or customer support, are at risk. Systems with older, unpatched versions of Razgover (prior to 37.0.1) are particularly vulnerable. Shared hosting environments where multiple users share the same Razgover instance are also at increased risk, as an attacker could potentially compromise other users through this vulnerability.
• php: Examine access logs for requests to Chattify/send.php with unusual or suspicious characters in the 'msg' parameter. Use grep to search for patterns like <script or onerror=.
grep '<script' /var/log/apache2/access.log | grep 'Chattify/send.php'disclosure
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2019-25262 is to apply the provided patch (995dd89d0e3ec5522966724be23a5d58ca1bdac3) and upgrade Razgover to version 37.0.1. Given Razgover's rolling release system, immediate patching is crucial. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters or patterns in the 'msg' parameter. Input validation on the server-side, specifically sanitizing user-supplied data before rendering it in the web page, is a crucial long-term security practice. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'msg' parameter and verifying that it does not execute.
Aplicar o patch 995dd89d0e3ec5522966724be23a5d58ca1bdac3 disponível no repositório do projeto. Este patch corrige uma vulnerabilidade de Cross-Site Scripting (XSS) no tratamento de mensagens do chat. Se não for possível aplicar o patch, considere migrar para uma solução de chat mais segura e mantida.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2019-25262 is a cross-site scripting (XSS) vulnerability in Razgover's Chattify/send.php component, allowing remote attackers to inject malicious scripts.
You are affected if you are using Razgover versions up to db37dfc5c82f023a40f2f7834ded6633fb2b5262 and have not applied the patch.
Apply the patch 995dd89d0e3ec5522966724be23a5d58ca1bdac3 and upgrade to version 37.0.1.
There is currently no evidence of active exploitation of CVE-2019-25262 in the wild.
Refer to the Razgover release notes and security advisories for details on this vulnerability and the associated patch.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.