CVE-2025-55288

Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f	Patch
https://github.com/MGeurts/genealogy/security/advisories/GHSA-3h8x-g9xj-rhwg	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*

History

03 Sep 2025, 16:11

Type	Values Removed	Values Added
CPE		cpe:2.3:a:kreaweb:genealogy::::::::
First Time		Kreaweb genealogy Kreaweb
References	~~() https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f -~~	() https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f - Patch
References	~~() https://github.com/MGeurts/genealogy/security/advisories/GHSA-3h8x-g9xj-rhwg -~~	() https://github.com/MGeurts/genealogy/security/advisories/GHSA-3h8x-g9xj-rhwg - Third Party Advisory
Summary		(es) Genealogy es una aplicación PHP de árbol genealógico. Antes de la versión 4.4.0, se identificó una vulnerabilidad de Cross-Site Scripting (XSS) reflejado y autenticada en la aplicación Genealogy. Los atacantes autenticados podían ejecutar JavaScript arbitrario en la sesión de otro usuario, lo que provocaba secuestro de sesión, robo de datos y manipulación de la interfaz de usuario. Esta vulnerabilidad se corrigió en la versión 4.4.0.

18 Aug 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-18 17:15

Updated : 2025-09-03 16:11

NVD link : CVE-2025-55288

Mitre link : CVE-2025-55288

CVE.ORG link : CVE-2025-55288

JSON object : View

Products Affected

kreaweb

genealogy

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-55288", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-08-18T17:15:31.067", "references": [{"url": "https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-3h8x-g9xj-rhwg", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user\u2019s session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0."}, {"lang": "es", "value": "Genealogy es una aplicaci\u00f3n PHP de \u00e1rbol geneal\u00f3gico. Antes de la versi\u00f3n 4.4.0, se identific\u00f3 una vulnerabilidad de Cross-Site Scripting (XSS) reflejado y autenticada en la aplicaci\u00f3n Genealogy. Los atacantes autenticados pod\u00edan ejecutar JavaScript arbitrario en la sesi\u00f3n de otro usuario, lo que provocaba secuestro de sesi\u00f3n, robo de datos y manipulaci\u00f3n de la interfaz de usuario. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 4.4.0."}], "lastModified": "2025-09-03T16:11:31.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD0549F0-B7AF-46DE-90A7-D8635A75836E", "versionEndExcluding": "4.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}