Commvault WebConsole up to 11.32.0/11.36.0/11.40.0/11.42.0 Report Builder cross site scripting

Summaryinfo

A vulnerability labeled as problematic has been found in Commvault WebConsole up to 11.32.0/11.36.0/11.40.0/11.42.0. The impacted element is an unknown function of the component Report Builder. Such manipulation leads to cross site scripting. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is listed as CVE-2025-12776. The attack may be performed from remote. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Commvault WebConsole up to 11.32.0/11.36.0/11.40.0/11.42.0. It has been rated as problematic. Affected by this issue is an unknown part of the component Report Builder. The manipulation with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. CVE summarizes:

The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience.  Although the user input is not validated in the report creation, these scripts are not executed when the report is run by end users. The script is executed when the report is modified through the report builder by a user with edit permissions. The Report Builder is part of the WebConsole.  The WebConsole package is currently end of life, and is no longer maintained. We strongly recommend against installing or using it in any production environment. However, if you choose to install it, for example, to access functionality like the Report Builder, it must be deployed within a fully isolated network that has no access to sensitive data or internet connectivity. This is a critical security precaution, as the retired package may contain unpatched vulnerabilities and is no longer supported with updates or fixes.

The advisory is shared for download at documentation.commvault.com. This vulnerability is handled as CVE-2025-12776 since 11/05/2025. The exploitation is known to be easy. The attack may be launched remotely. Additional levels of successful authentication are necessary for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1059.007.

Upgrading to version 11.40.1 or 11.42.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-206259). Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Commvault

Name

• WebConsole

Version

• 11.0
• 11.1
• 11.2
• 11.3
• 11.4
• 11.5
• 11.6
• 11.7
• 11.8
• 11.9
• 11.10
• 11.11
• 11.12
• 11.13
• 11.14
• 11.15
• 11.16
• 11.17
• 11.18
• 11.19
• 11.20
• 11.21
• 11.22
• 11.23
• 11.24
• 11.25
• 11.26
• 11.27
• 11.28
• 11.29
• 11.30
• 11.31
• 11.32
• 11.32.0
• 11.33
• 11.34
• 11.35
• 11.36
• 11.36.0
• 11.37
• 11.38
• 11.39
• 11.40
• 11.40.0
• 11.41
• 11.42.0

Support

• end of life

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion