Share
## https://sploitus.com/exploit?id=959582EA-5BB9-533D-BFD2-4DFC559ED075
# CVE-2025-52204 โ€“ Reflected XSS / HTML Injection in Znuny `customer.pl`

## Summary

A Reflected Cross-Site Scripting (XSS) and HTML Injection vulnerability exists in Znuny, allowing attackers to inject arbitrary JavaScript or HTML via the parameter defined by the system configuration `CustomerPanelSessionName` in the `customer.pl` endpoint.

## Classification

- **CVE:** CVE-2025-52204
- **CWE:** CWE-79 โ€“ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- **CVSS v3.1 (researcher assessment):** 6.1 Medium
- **CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`

## Impact

Successful exploitation may allow an unauthenticated remote attacker to:

- inject arbitrary HTML or JavaScript into the response
- manipulate the customer-facing login interface
- display deceptive or phishing-style content
- redirect users to attacker-controlled resources
- execute script in the victim's browser within the context of the affected application

## Attack Requirements

- No authentication required
- Remote exploitation via crafted GET request
- Access to the public customer-facing interface

## Affected / Observed Versions

### Confirmed in controlled testing

- Znuny 6.5.9
- Znuny 6.5.17

### Observed during real-world research

The issue was also observed during research on publicly exposed real-world instances running:

- Znuny 7.0.11
- Znuny 7.2.x

To avoid unnecessarily exposing third-party systems, specific targets, URLs, and validation screenshots from those instances are intentionally omitted from this public repository.

## Fixed Versions

The vendor addressed this issue in:

- Znuny LTS 6.5.19
- Znuny 7.3.1

See [`docs/references.md`](docs/references.md) for the official public release references.

## Technical Note

The vulnerable input is associated with the parameter name defined by the Znuny system configuration key `CustomerPanelSessionName`.

In observed deployments, this parameter may appear as `OTRSCustomerInterface`, but this is not a universal literal value and may vary depending on the system configuration.

## Disclosure Timeline

A detailed timeline is available in [`docs/timeline.md`](docs/timeline.md).

## Additional Technical Details

More technical context is available in [`docs/technical-details.md`](docs/technical-details.md).

## References

Supporting references can be found in [`docs/references.md`](docs/references.md).

## Screenshots

### Reflected payload in controlled testing

![PoC 1](screenshots/1.png)
![PoC 2](screenshots/2.png)

### Additional controlled validation

![PoC 3](screenshots/3.png)
![PoC 4](screenshots/4.png)

### Browser-side impact demonstration

![PoC 5](screenshots/5.png)
![PoC 6](screenshots/6.png)
![PoC 7](screenshots/7.png)

## Mitigation / Workarounds

Administrators should upgrade to the vendor-fixed versions:

- Znuny LTS 6.5.19
- Znuny 7.3.1

Additional good practices include:

- reviewing public exposure of the customer-facing interface
- restricting unnecessary public access where operationally possible
- monitoring requests targeting `customer.pl`
- reviewing whether local configuration hardening reduces exposure, understanding that configuration changes alone may not constitute a full product fix

## Credit

Discovered and reported by **Miguel Ponce**.

## Disclosure Note

This repository documents a coordinated vulnerability disclosure process.  
It intentionally does not include:

- a live public target list
- mass-scanning data
- a weaponized payload set
- active exploitation guidance

The goal is to preserve technical accuracy while minimizing unnecessary risk to third parties.