CVE-2025-55887
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk33th percentile - higher than 33% of all known CVEs
Summary
A Cross-Site Scripting (XSS) vulnerability was discovered in the ARD meal reservation service. The vulnerability exists in the transactionID GET parameter on the transaction confirmation page. Due to improper input validation and output encoding, an attacker can inject malicious JavaScript code that executes in the user's browser.
Risk Assessment
An attacker can hijack user sessions, steal cookies, and perform other malicious actions on behalf of the victim, potentially leading to data confidentiality breaches and system integrity compromise.
Recommendation
Immediately update the ARD service to the latest version that includes fixes for input validation and output encoding. In the meantime, implement filtering of the transactionID parameter and apply Content Security Policy (CSP) headers.
Original NVD description (English source)
Cross-Site Scripting (XSS) vulnerability was discovered in the meal reservation service ARD. The vulnerability exists in the transactionID GET parameter on the transaction confirmation page. Due to improper input validation and output encoding, an attacker can inject malicious JavaScript code that is executed in the context of a user s browser. This can lead to session hijacking, theft of cookies, and other malicious actions performed on behalf of the victim.

