CVE-2025-69606 - Vulnerability Details

Description

Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP web panel version 2.0.90. The `msg` parameter in the `/painel/gateways.php/error` endpoint does not properly sanitize user-supplied input, allowing attackers to inject arbitrary JavaScript into the HTML response. A remote attacker can exploit this vulnerability by sending a crafted URL to a victim, leading to unauthorized script execution, session hijacking, phishing, or other client-side attacks.

Published: 2026-05-01

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic Cross‑Site Scripting flaw in the GSVoIP web panel. The msg parameter in /painel/gateways.php/error is not properly sanitized, allowing an attacker to embed arbitrary JavaScript within the HTML response. When a victim opens the malicious link, the injected scripts run in their browser with the same origin as the site. This can lead to session hijacking, theft of credentials, phishing, or the execution of other malicious client‑side actions. The flaw does not affect the server directly, but it compromises the confidentiality, integrity, and availability of users interacting with the interface.

Affected Systems

Affected systems are installations of the GSVoIP web control panel from Solutionsvoip, specifically version 2.0.90. The vulnerability is exposed by sending a crafted request to the /painel/gateways.php/error endpoint, so any publicly accessible instance running this version is at risk.

Risk and Exploitability

The CVSS score of 6.1 denotes a medium severity XSS flaw, and the EPSS score is not available. The flaw remains a remote, client‑side vulnerability that can be invoked by any user visiting the page without authentication. Although it is not listed in CISA’s KEV catalog, the potential for session hijacking, credential theft, or phishing from injected scripts requires prompt attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Identify whether the GSVoIP web panel is running version 2.0.90 or earlier, and verify if any security patch has been applied.
Obtain and apply the vendor’s official fix that sanitizes the msg parameter (or upgrade to a newer GSVoIP release that contains the patch).
As a temporary countermeasure, configure the web server to encode or block payloads sent to the msg parameter, and enforce a strict Content‑Security‑Policy header to prevent execution of injected scripts.
Regularly test the panel with automated XSS scanners to ensure that no similar input validation issues remain.

Generated by OpenCVE AI on May 1, 2026 at 23:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS
https://sip2.solutionsvoip.com.br/painel/gateways.php/error?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
https://www.solutionsvoip.com.br/

History

Fri, 01 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP web panel version 2.0.90. The `msg` parameter in the `/painel/gateways.php/error` endpoint does not properly sanitize user-supplied input, allowing attackers to inject arbitrary JavaScript into the HTML response. A remote attacker can exploit this vulnerability by sending a crafted URL to a victim, leading to unauthorized script execution, session hijacking, phishing, or other client-side attacks.
References		https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS https://sip2.solutionsvoip.com.br/painel/gateways.php/error?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E https://www.solutionsvoip.com.br/

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-01T00:00:00.000Z

Updated: 2026-05-01T18:22:49.952Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69606

Vulnrichment

Updated: 2026-05-01T18:20:04.549Z

NVD

Status : Received

Published: 2026-05-01T18:16:13.607

Modified: 2026-05-01T19:16:29.350

Link: CVE-2025-69606

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object