Description
Coohoom SaaS is susceptible to a persistent cross site scripting vulnerability...
Basic Information
ID
PACKETSTORM:212532
Published
Dec 8, 2025 at 00:00
Affected Product
Affected Versions
# CVE-2025-65300
[Description]
CVE-2025-65300: Stored Cross-Site Scripting (XSS) Vulnerability in Coohom SaaS Platform
Disclosure Date: 2025-10-28
Last Updated: 2025-10-28
Reporter: Phisit Pupiw
Vendor: Coohom
CWE: CWE-79 β Cross-Site Scripting
------------------------------------------
[Summary]
A stored Cross-Site Scripting (XSS) vulnerability was identified in the Coohom SaaS Platform within the Account Settings β Profile β Address module. User-supplied input stored in the City, State, and Country/Region fields is rendered back to the client without proper sanitization or context-aware output encoding.
This allows attackers to store malicious JavaScript payloads that execute whenever the affected profile area is viewed.
The issue affects production build feVersion=1760060603897 (verified on 2025-10-28).
------------------------------------------
[Vulnerability Details]
The frontend renders user data directly from "window.SAAS_ENV.userInfo.{city, state, country}" without sanitization or escaping, causing stored XSS when injected payloads are stored in the database and later displayed in the UI.
Example Malicious Payload "</script><script>alert(document.cookie)</script>" When this payload is entered into the City field, saved, and the profile page is reloaded, arbitrary JavaScript executes in the victimβs browser.
------------------------------------------
[Affected Components]
Module: Account Settings β Profile β Address fields
Fields: city, state, country
Frontend Build Affected: feVersion=1760060603897
Production URL: https://www.coohom.com/pub/saas/settings/account
------------------------------------------
[Impact]
An attacker can perform the following:
- Execute arbitrary JavaScript in the victimβs browser
- Steal session cookies (subject to browser protections)
- Perform actions on behalf of the victim
- Redirect users or inject malicious content
- Persist malicious scripts affecting all future views
------------------------------------------
[Attack Vector]
- Access Required: Authenticated user
- Attack Type: Remote
- User Interaction: Viewing affected profile page
------------------------------------------
[Attack Flow]
1. Attacker signs in or registers a Coohom account
2. Navigates to Account Settings β Profile β Address
3. Inserts malicious payload into City, State, or Country/Region
4. Saves the form
5. Script executes whenever the profile section is rendered
------------------------------------------
[Proof of Concept (PoC)]
Steps to Reproduce
1. Login to Coohom (https://www.coohom.com)
2. Open Account Settings β Profile β Address
3. Input the payload below into the City field "</script><script>alert(document.cookie)</script>"
4. Save and refresh the page
5. JavaScript executes immediately β confirming stored
------------------------------------------
[Recommendation]
- Sanitize input on save
- Reject HTML tags and dangerous attributes
- HTML-encode
- JavaScript-encode
- Attribute-encode
- Implement Content-Security-Policy (CSP)
- Disable inline scripts with script-src 'self'
------------------------------------------
[References]
- https://www.coohom.com/pub/saas/settings/account
- CVE record status (MITRE): CVE-2025-65300 (RESERVED)
------------------------------------------
[Credits]
Discovered by : Phisit Pupiw
[Description]
CVE-2025-65300: Stored Cross-Site Scripting (XSS) Vulnerability in Coohom SaaS Platform
Disclosure Date: 2025-10-28
Last Updated: 2025-10-28
Reporter: Phisit Pupiw
Vendor: Coohom
CWE: CWE-79 β Cross-Site Scripting
------------------------------------------
[Summary]
A stored Cross-Site Scripting (XSS) vulnerability was identified in the Coohom SaaS Platform within the Account Settings β Profile β Address module. User-supplied input stored in the City, State, and Country/Region fields is rendered back to the client without proper sanitization or context-aware output encoding.
This allows attackers to store malicious JavaScript payloads that execute whenever the affected profile area is viewed.
The issue affects production build feVersion=1760060603897 (verified on 2025-10-28).
------------------------------------------
[Vulnerability Details]
The frontend renders user data directly from "window.SAAS_ENV.userInfo.{city, state, country}" without sanitization or escaping, causing stored XSS when injected payloads are stored in the database and later displayed in the UI.
Example Malicious Payload "</script><script>alert(document.cookie)</script>" When this payload is entered into the City field, saved, and the profile page is reloaded, arbitrary JavaScript executes in the victimβs browser.
------------------------------------------
[Affected Components]
Module: Account Settings β Profile β Address fields
Fields: city, state, country
Frontend Build Affected: feVersion=1760060603897
Production URL: https://www.coohom.com/pub/saas/settings/account
------------------------------------------
[Impact]
An attacker can perform the following:
- Execute arbitrary JavaScript in the victimβs browser
- Steal session cookies (subject to browser protections)
- Perform actions on behalf of the victim
- Redirect users or inject malicious content
- Persist malicious scripts affecting all future views
------------------------------------------
[Attack Vector]
- Access Required: Authenticated user
- Attack Type: Remote
- User Interaction: Viewing affected profile page
------------------------------------------
[Attack Flow]
1. Attacker signs in or registers a Coohom account
2. Navigates to Account Settings β Profile β Address
3. Inserts malicious payload into City, State, or Country/Region
4. Saves the form
5. Script executes whenever the profile section is rendered
------------------------------------------
[Proof of Concept (PoC)]
Steps to Reproduce
1. Login to Coohom (https://www.coohom.com)
2. Open Account Settings β Profile β Address
3. Input the payload below into the City field "</script><script>alert(document.cookie)</script>"
4. Save and refresh the page
5. JavaScript executes immediately β confirming stored
------------------------------------------
[Recommendation]
- Sanitize input on save
- Reject HTML tags and dangerous attributes
- HTML-encode
- JavaScript-encode
- Attribute-encode
- Implement Content-Security-Policy (CSP)
- Disable inline scripts with script-src 'self'
------------------------------------------
[References]
- https://www.coohom.com/pub/saas/settings/account
- CVE record status (MITRE): CVE-2025-65300 (RESERVED)
------------------------------------------
[Credits]
Discovered by : Phisit Pupiw