CVE-2025-55287

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-55287
Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f Patch
https://github.com/MGeurts/genealogy/security/advisories/GHSA-j457-9m86-6q5r Third Party Advisory Mitigation
Configurations

Configuration 1 (hide)

cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*
History

03 Sep 2025, 15:57

Type Values Removed Values Added
CPE cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*
First Time Kreaweb genealogy
Kreaweb
Summary
  • (es) Genealogy es una aplicación PHP de árbol genealógico. Antes de la versión 4.4.0, se identificó una vulnerabilidad de Cross-Site Scripting (XSS) almacenado y autenticada en la aplicación Genealogía. Los atacantes autenticados podían ejecutar JavaScript arbitrario en la sesión de otro usuario, lo que provocaba secuestro de sesión, robo de datos y manipulación de la interfaz de usuario. Esta vulnerabilidad se corrigió en la versión 4.4.0.
CVSS v2 : unknown
v3 : 8.0 		v2 : unknown
v3 : 5.4
References () https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f - () https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f - Patch
References () https://github.com/MGeurts/genealogy/security/advisories/GHSA-j457-9m86-6q5r - () https://github.com/MGeurts/genealogy/security/advisories/GHSA-j457-9m86-6q5r - Third Party Advisory, Mitigation

18 Aug 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-18 17:15

Updated : 2025-09-03 15:57

NVD link : CVE-2025-55287

Mitre link : CVE-2025-55287

CVE.ORG link : CVE-2025-55287

JSON object : View

Products Affected

kreaweb

  • genealogy
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')