Full Report
Cross-site Scripting vulnerability (CVE-2025-12518) has been found in Befree SDK software.
Analysis Summary
# Vulnerability: Stored Cross-Site Scripting (XSS) in Befree SDK
## CVE Details
- **CVE ID:** CVE-2025-12518
- **CVSS Score:** Not explicitly provided in the source (Severity typically ranges from Medium to High for Stored XSS)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation)
## Affected Systems
- **Products:** Bee Content Design Befree SDK (email builder functionality)
- **Versions:** All versions prior to 3.47.0
- **Configurations:** Systems utilizing the Befree SDK email builder components, specifically the social media icon modules.
## Vulnerability Description
Stored Cross-site Scripting (XSS) exists in the Befree SDK email builder. The flaw resides in the handling of the "Social Media icon URL" parameter. An attacker can inject malicious HTML or JavaScript code into the email template. This payload is stored on the server and later executed or rendered in the context of a user's browser when they visit the template's preview page.
## Exploitation
- **Status:** Reported via Coordinated Vulnerability Disclosure (CVD); no mention of active exploitation in the wild.
- **Complexity:** Low (Standard XSS injection in a URL parameter).
- **Attack Vector:** Network (Remote)
- **Note:** The effectiveness of exploitation may be limited by the application's Content Security Policy (CSP), which may prevent certain payloads from executing successfully.
## Impact
- **Confidentiality:** Partial (Can lead to session hijacking or cookie theft, subject to CSP).
- **Integrity:** Partial (Allows for unauthorized modification of the preview page content).
- **Availability:** Low (Potential for page defacement).
## Remediation
### Patches
- **Update to Version 3.47.0** or later. Beefree has addressed the input neutralization flaw in this release.
### Workarounds
- No specific workarounds were provided. It is recommended to implement/strengthen Content Security Policies (CSP) to mitigate the impact of script execution until the patch is applied.
## Detection
- **Indicators of Compromise:** Unusual JavaScript strings or HTML tags (e.g., `<script>`, `onerror`, `onload`) found within the social media icon URL metadata in saved email templates.
- **Detection methods and tools:** Web Application Firewalls (WAF) can be configured to detect common XSS patterns in outgoing/incoming SDK traffic. Static Analysis (SAST) of stored templates can identify existing malicious payloads.
## References
- **CERT Polska Advisory:** hxxps[://]cert[.]pl/en/posts/2026/03/vulnerability-in-befree-sdk/
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2025-12518
- **Vendor Website:** hxxps[://]beefree[.]io/