CVE-2025-60948 in CSWeb
Summary
by MITRE • 03/24/2026
Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2025-60948 affects Census CSWeb version 8.0.1 and represents a critical stored cross-site scripting flaw that enables authenticated attackers to inject malicious javascript code into user-supplied fields. This vulnerability exists within the web application's input validation mechanisms, where user-provided data is not properly sanitized before being stored and subsequently rendered in web pages. The flaw allows an attacker who has gained authentication access to the system to persistently inject malicious scripts that will execute whenever other users view the affected content, creating a persistent threat vector that can compromise multiple victims over time.
The technical implementation of this vulnerability stems from inadequate input sanitization and output encoding practices within the CSWeb application framework. When authenticated users submit data through various input fields, the application fails to properly validate or escape special characters that could be interpreted as executable javascript code. This weakness directly maps to CWE-79 which defines Cross-Site Scripting vulnerabilities as the result of insufficient validation or encoding of user-supplied data. The stored nature of this vulnerability means that malicious payloads are saved in the application's database or storage mechanisms, making them persistent across user sessions and browser reloads, unlike reflected XSS variants that require specific user interactions to trigger.
The operational impact of CVE-2025-60948 extends beyond simple data theft or defacement, as it provides attackers with the capability to establish persistent footholds within the target environment. Once an attacker successfully injects malicious javascript, they can potentially steal session cookies, redirect users to malicious sites, perform actions on behalf of victims, or harvest sensitive information from the application. This vulnerability aligns with several tactics described in the MITRE ATT&CK framework under the T1531 and T1566 categories, which involve techniques for executing malicious code and establishing persistence through web application vulnerabilities. The attack surface is particularly concerning for organizations using Census CSWeb for sensitive data management, as the vulnerability can be exploited to compromise confidential information and potentially escalate privileges within the application.
Organizations utilizing Census CSWeb 8.0.1 should immediately implement mitigation strategies including upgrading to version 8.1.0 alpha which contains the necessary patches to address this vulnerability. The upgrade process should include thorough testing of all user input fields and validation mechanisms to ensure the fix properly handles all potential javascript injection vectors. Additional defensive measures include implementing comprehensive input validation at multiple layers, deploying web application firewalls to detect and block suspicious payloads, and conducting regular security assessments of user-supplied content. Network monitoring should be enhanced to detect unusual patterns of data submission that might indicate exploitation attempts. The vulnerability also highlights the importance of adhering to secure coding practices and implementing proper output encoding mechanisms to prevent the execution of malicious code in web applications.