CVE-2025-55287

Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f	Patch
https://github.com/MGeurts/genealogy/security/advisories/GHSA-j457-9m86-6q5r	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-18 17:15

Updated : 2025-09-03 15:57

NVD link : CVE-2025-55287

Mitre link : CVE-2025-55287

CVE.ORG link : CVE-2025-55287

JSON object : View

Products Affected

kreaweb

genealogy

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-55287", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-08-18T17:15:30.887", "references": [{"url": "https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-j457-9m86-6q5r", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user\u2019s session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0."}, {"lang": "es", "value": "Genealogy es una aplicaci\u00f3n PHP de \u00e1rbol geneal\u00f3gico. Antes de la versi\u00f3n 4.4.0, se identific\u00f3 una vulnerabilidad de Cross-Site Scripting (XSS) almacenado y autenticada en la aplicaci\u00f3n Genealog\u00eda. Los atacantes autenticados pod\u00edan ejecutar JavaScript arbitrario en la sesi\u00f3n de otro usuario, lo que provocaba secuestro de sesi\u00f3n, robo de datos y manipulaci\u00f3n de la interfaz de usuario. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 4.4.0."}], "lastModified": "2025-09-03T15:57:46.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD0549F0-B7AF-46DE-90A7-D8635A75836E", "versionEndExcluding": "4.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}