CVE-2025-65572 in AllSky
Summary
by MITRE • 12/09/2025
Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in status_messages.php will print out the error messages and execute the script injected by the attacker.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/10/2025
This cross site scripting vulnerability exists within the AllskyTeam AllSky v2024.12.06_06 software, specifically in the allskySettings.php endpoint which fails to properly sanitize user input parameters. The vulnerability affects three distinct input vectors including the config, filename, and extratext parameters, creating multiple attack surfaces for malicious actors. The flaw stems from insufficient input validation and output encoding mechanisms that allow malicious payloads to be stored and subsequently executed when the affected page is rendered. This represents a classic reflected XSS vulnerability pattern where user-supplied data flows directly into the application's output without proper sanitization, creating an environment where attacker-controlled scripts can be executed within the context of the victim's browser session. The vulnerability is particularly concerning because it leverages the showMessages() function in status_messages.php which is designed to display error messages but inadvertently executes injected scripts when the page reloads or when users navigate to the allskySettings.php endpoint.
The technical implementation of this vulnerability follows CWE-79 principles for cross site scripting flaws, where the application fails to properly encode output that contains untrusted data. Attackers can exploit this by crafting malicious payloads and submitting them through any of the three vulnerable parameters, which are then stored in the application's message handling system. When the status_messages.php file executes the showMessages() function, it processes these stored messages and outputs them directly to the browser without adequate sanitization. This creates a persistent XSS scenario where the malicious code executes whenever the affected page is accessed, potentially allowing attackers to steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious websites. The vulnerability operates at the application layer and requires no special privileges to exploit, making it particularly dangerous in environments where legitimate users regularly access the settings page.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable more sophisticated attacks within the AllSky system. An attacker who successfully exploits this vulnerability could potentially escalate privileges, access sensitive configuration data, or manipulate the camera system's operational parameters. The persistent nature of the vulnerability means that once exploited, the malicious code will continue to execute for all users who access the affected page, creating a long-term security risk. The attack vector is particularly concerning because it requires minimal user interaction beyond navigating to the vulnerable page, and the exploitation can occur through various methods including social engineering or automated scanning tools. This vulnerability directly impacts the security posture of surveillance systems that rely on AllSky for camera management, potentially compromising the integrity and confidentiality of the entire surveillance infrastructure.
Mitigation strategies for this vulnerability should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application. The most effective immediate fix involves sanitizing all user-supplied input parameters before they are processed or stored, with particular attention to the config, filename, and extratext parameters in allskySettings.php. Implementing proper HTML escaping and context-appropriate encoding for all output generated by the showMessages() function will prevent malicious scripts from executing. Additionally, the application should employ Content Security Policy (CSP) headers to limit script execution and prevent unauthorized code injection. Regular security audits and input validation testing should be implemented to prevent similar vulnerabilities from emerging in future releases. The fix should also include proper error handling that does not expose internal system information and ensures that all user-generated content is properly validated before being displayed. Organizations using AllSky should also consider implementing network segmentation and access controls to limit exposure of the vulnerable application to untrusted users. This vulnerability highlights the critical importance of secure coding practices and proper input validation in web applications, particularly those handling sensitive operational data in security-critical environments.