## https://sploitus.com/exploit?id=959582EA-5BB9-533D-BFD2-4DFC559ED075
# CVE-2025-52204 โ Reflected XSS / HTML Injection in Znuny `customer.pl`
## Summary
A Reflected Cross-Site Scripting (XSS) and HTML Injection vulnerability exists in Znuny, allowing attackers to inject arbitrary JavaScript or HTML via the parameter defined by the system configuration `CustomerPanelSessionName` in the `customer.pl` endpoint.
## Classification
- **CVE:** CVE-2025-52204
- **CWE:** CWE-79 โ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- **CVSS v3.1 (researcher assessment):** 6.1 Medium
- **CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
## Impact
Successful exploitation may allow an unauthenticated remote attacker to:
- inject arbitrary HTML or JavaScript into the response
- manipulate the customer-facing login interface
- display deceptive or phishing-style content
- redirect users to attacker-controlled resources
- execute script in the victim's browser within the context of the affected application
## Attack Requirements
- No authentication required
- Remote exploitation via crafted GET request
- Access to the public customer-facing interface
## Affected / Observed Versions
### Confirmed in controlled testing
- Znuny 6.5.9
- Znuny 6.5.17
### Observed during real-world research
The issue was also observed during research on publicly exposed real-world instances running:
- Znuny 7.0.11
- Znuny 7.2.x
To avoid unnecessarily exposing third-party systems, specific targets, URLs, and validation screenshots from those instances are intentionally omitted from this public repository.
## Fixed Versions
The vendor addressed this issue in:
- Znuny LTS 6.5.19
- Znuny 7.3.1
See [`docs/references.md`](docs/references.md) for the official public release references.
## Technical Note
The vulnerable input is associated with the parameter name defined by the Znuny system configuration key `CustomerPanelSessionName`.
In observed deployments, this parameter may appear as `OTRSCustomerInterface`, but this is not a universal literal value and may vary depending on the system configuration.
## Disclosure Timeline
A detailed timeline is available in [`docs/timeline.md`](docs/timeline.md).
## Additional Technical Details
More technical context is available in [`docs/technical-details.md`](docs/technical-details.md).
## References
Supporting references can be found in [`docs/references.md`](docs/references.md).
## Screenshots
### Reflected payload in controlled testing


### Additional controlled validation


### Browser-side impact demonstration



## Mitigation / Workarounds
Administrators should upgrade to the vendor-fixed versions:
- Znuny LTS 6.5.19
- Znuny 7.3.1
Additional good practices include:
- reviewing public exposure of the customer-facing interface
- restricting unnecessary public access where operationally possible
- monitoring requests targeting `customer.pl`
- reviewing whether local configuration hardening reduces exposure, understanding that configuration changes alone may not constitute a full product fix
## Credit
Discovered and reported by **Miguel Ponce**.
## Disclosure Note
This repository documents a coordinated vulnerability disclosure process.
It intentionally does not include:
- a live public target list
- mass-scanning data
- a weaponized payload set
- active exploitation guidance
The goal is to preserve technical accuracy while minimizing unnecessary risk to third parties.