A stored cross-site scripting (XSS) vulnerability in the U2F Origin field of the Datacenter configuration in Proxmox Virtual Environment (PVE) 8.4 allows authenticated users to store malicious input. The payload is rendered unsafely in the Web UI and executed when viewed by other users, potentially leading to session hijacking or other attacks.
References
| Link | Resource |
|---|---|
| https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/page-2#post-792010 | Vendor Advisory Issue Tracking |
| https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss | Exploit Third Party Advisory |
| https://www.youtube.com/watch?v=-wvkN-7oT5U | Broken Link |
| https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss | Exploit Third Party Advisory |
Configurations
History
18 Sep 2025, 17:41
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/page-2#post-792010 - Vendor Advisory, Issue Tracking | |
| References | () https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss - Exploit, Third Party Advisory | |
| References | () https://www.youtube.com/watch?v=-wvkN-7oT5U - Broken Link | |
| CPE | cpe:2.3:a:proxmox:virtual_environment:8.4:*:*:*:*:*:*:* | |
| First Time |
Proxmox virtual Environment
Proxmox |
10 Sep 2025, 14:15
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| CWE | CWE-79 | |
| References | () https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss - |
09 Sep 2025, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-09 17:16
Updated : 2025-09-18 17:41
NVD link : CVE-2025-57539
Mitre link : CVE-2025-57539
CVE.ORG link : CVE-2025-57539
JSON object : View
Products Affected
proxmox
- virtual_environment
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')