AVE DOMINAplus 1.10.x Cross-Site Request Forgery and XSS Vulnerabilities

Advisories

severity: medium
date: December 24, 2025
Affecting: Unknown Web Server Code 53AB-WBS - 1.10.62
CVE: CVE-2019-25233
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-352 Cross-Site Request Forgery (CSRF)
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-47821
AVE S.p.A. Official Website
DOMINAplus Product Page
Zero Science Lab Disclosure (ZSL-2019-5547)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions.