During a recent penetration test, Redguard’s security team identified a high-severity stored cross-site scripting (XSS) vulnerability in the Perx Customer Engagement & Loyalty Platform’s LMT Dashboard. This flaw, now assigned CVE-2025-11682, enabled an authenticated user to upload a specially crafted SVG image containing embedded JavaScript. The malicious script would then execute in the browsers of other users when they viewed the image on the LMT microsite. This allowed an attacker to hijack a user’s session, potentially performing unauthorized actions like modifying content, redirecting to malicious sites, or stealing sensitive information. This vulnerability was rated with a high-severity CVSS base score of 7.1. Following our coordinated disclosure, the vendor has released a patch to address this issue.

Vulnerability Details

Stored XSS allows persistent injection of malicious scripts into a web application. In this case, users with upload permissions in the LMT Dashboard could upload SVG files containing arbitrary JavaScript. When rendered by other users through the public LMT microsite, the script executes in their browser sessions.

The affected image upload feature was found in multiple locations within the LMT Dashboard, particularly in campaign-related functionality. The issue stems from the lack of proper sanitization of SVG files, which are treated as safe image formats but can embed executable code:

• Vulnerability Type: Stored Cross-Site Scripting (XSS) via SVG file upload
• Attack Vector: Authenticated user uploads SVG with embedded script in LMT Dashboard
• Execution Context: Public LMT Microsite
• Affected Product: Perx Customer Engagement & Loyalty Platform
• CVSS Score: 7.1 (High - CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L)
• CVE: CVE-2025-11682

Proof of Concept (PoC)

The following PoC affects Perx Customer Engagement & Loyalty Platform in versions before 4.6.70. To demonstrate the initial vulnerability, a new campaign in the LMT Dashboard was created. Then, the following SVG payload was uploaded as its main image:

1
2
3
4
5
6
7
<?xml version="1.0" standalone="no"?>
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert('SVG XSS');
  </script>
</svg>

The image is now rendered on the publicly accessible LMT microsite for this campaign. When loading the SVG image directly using its public URL, the embedded JavaScript code is executed, triggering an alert box and confirming that an attacker could run arbitrary code in the user’s session.

To address this issue, Perx deployed a patch with version 4.6.70 that removed the malicious parts of the SVG in the JavaScript client, once the image was selected in the browser:

However, as this mitigation was implemented on the client-side (which is under the attacker’s control), it could be bypassed as no additional server-side sanitization was applied when the campaign was saved. An attacker could therefore bypass the client-side check by inserting the malicious SVG payload directly into the following PUT request:

1
2
3
4
5
6
7
8
9
10
11
12
13
PUT /v4/dash/campaigns/1 HTTP/2
Host: [REDACT]
Content-Type: application/json

{
    "timezone": "UTC",
    "images": [{
        "file": "data:image/svg+xml;base64,PD94b[REDACT]2Zz4=",
        "filename": "xss.svg",
        "section": "campaign_thumbnail"
    }],
    [REDACT]
}

Impact

This vulnerability poses a significant threat to users interacting with the domain the LMT microsite is hosted on. If a malicious actor with access to the dashboard uploads an SVG file containing JavaScript, and a victim subsequently views that file, the embedded code will execute in the victim’s browser session. Such an attack could allow the adversary to hijack the victim’s session, impersonate their identity, access sensitive information, or even manipulate data.

For example, depending on the victim’s privileges, an attacker could potentially retrieve personal or financial data, or trigger unauthorized actions on their behalf. Although exploiting the vulnerability requires valid credentials and access rights to the LMT Dashboard, it gets particularly dangerous when combined with phishing techniques or targeted social engineering. A well-crafted attack could result in full session compromise with serious implications for affected users.

Mitigation Recommendations

The vendor has addressed this vulnerability in version 4.6.74, which Redguard’s security testers have confirmed as a successful mitigation. It is recommended to upgrade to this version. As an additional defense-in-depth measure, Redguard recommends implementing the following controls to reduce the impact of this and similar vulnerabilities:

• Implement a strict Content Security Policy (CSP): A well-configured CSP can block the execution of untrusted inline scripts and prevent data exfiltration.
• Use HttpOnly Cookies: Setting the HttpOnly flag on session cookies prevents them from being accessed by client-side scripts, directly mitigating session hijacking via XSS.

Further information on XSS mitigation can be found in the OWASP Cross Site Scripting Prevention Cheat Sheet.

Disclosure Timeline

The following timeline details all the steps taken in the coordinated vulnerability disclosure process:

• 2025-04-18: Vulnerability identified and customer notified.
• 2025-06-05: Customer approved direct disclosure and shared our contact information with the vendor.
• 2025-06-19: Contacted vendor directly as no communication had been initiated.
• 2025-07-29: Contacted vendor again after no response was provided.
• 2025-07-30: Response by vendor asking for samples of already published advisories.
• 2025-08-04: Redguard provided three samples of published advisories.
• 2025-08-06: Vendor confirmed their support for a Coordinated Vulnerability Disclosure (CVD).
• 2025-08-08: Technical advisory provided to vendor and timeline for a patch and version infos requested.
• 2025-08-19: Contacted vendor again after no response was provided.
• 2025-09-09: Contacted vendor again after no response was provided.
• 2025-09-10: Vendor responded and provided access to a demo environment with version 4.6.70 to validate the patch and did not answer other questions.
• 2025-09-10: Redguard provided instructions to bypass the latest patch to the vendor and requested infos about the version tested.
• 2025-09-10: Vendor confirmed the successful bypass and did not answer other questions.
• 2025-10-10: Contacted vendor again after no response was provided.
• 2025-10-13: Requested a CVE from BACS as Switzerland’s CNA.
• 2025-10-13: BACS reserved CVE-2025-11682 and offered their help in the process.
• 2025-10-16: Vendor responded and provided access to the a demo environment with version 4.6.74 to validate the second patch and provided additional version information.
• 2025-10-21: Redguard confirmed successful mitigation of the issue at hand in version 4.6.74 back to the vendor.
• 2025-10-27: Public release of advisory.

Disclaimer

This advisory is not an exhaustive list of all potential security issues for the mentioned software. Other vulnerabilities may exist. The information provided is believed to be accurate at the time of publishing. Use of this information is at your own risk. Neither the author nor the publisher accepts any liability for any loss or damage arising from the use of, or reliance on, this information.