CVE-2025-45236: A stored cross-site scripting (XSS) vulnerability in the Edit Profile feature of DBSyncer v2.0.6 allows att...
A stored cross-site scripting (XSS) vulnerability in the Edit Profile feature of DBSyncer v2.0.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Nickname parameter.
Security readout for executives and security teams
Plain-English summary
DBSyncer v2.0.6 has a stored XSS flaw in Edit Profile. An authenticated attacker can save malicious HTML or script in the Nickname field. If another user later views the affected profile, browser-side code may run in that user’s session.
Executive priority
Treat as a moderate application security issue. Prioritize if DBSyncer is internet-facing, used by multiple administrators, or stores sensitive operational data.
Technical view
CVE-2025-45236 is CWE-79 stored cross-site scripting in DBSyncer v2.0.6. The CVSS 3.1 score is 5.4 with network access, low attack complexity, low privileges, required user interaction, changed scope, and low confidentiality and integrity impact.
Likely exposure
Exposure appears limited to deployments of DBSyncer v2.0.6 where users can edit profile nicknames. Internet-accessible instances or shared administrative environments have higher practical risk.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation. Exploitation requires an authenticated attacker to store content and another user to view affected rendered content.
Researcher notes
The public record names DBSyncer v2.0.6 and the Nickname parameter, but the affected-product metadata is sparse. Avoid broader version claims without vendor confirmation.
Mitigation direction
Check DBSyncer project and CVE references for maintainer guidance or a fixed release.
Restrict profile editing to trusted authenticated users until remediation is confirmed.
Review and clean existing Nickname values containing unexpected HTML or script-like content.
If maintaining a fork, enforce server-side validation and safe output encoding for Nickname.
Validation and detection
Confirm whether DBSyncer v2.0.6 is deployed in your environment.
Identify who can access the Edit Profile feature and modify Nickname values.
Review stored Nickname values for unexpected markup or script-like content.
Verify Nickname renders as encoded text, not executable browser markup.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.