A Reflected Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing sensitive information.
| Vulnerability Type | (CWE-80) Cross Site Scripting (XSS) |
| CVE Identifier | CVE-2025-54346 |
| CVSS Score | 7.6 |
| CVSS Vector | (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H) |
| Vendor | Desktop Alert |
| Affected Product | PingAlert Application Server |
| Affected Versions | 6.1.0.11 – 6.1.1.2 |
| Attacker | Non-authenticated user |
| Impact | Hijack user’s browser, capturing sensitive information |
| Mitigation | Fixed in version 6.1.1.4 |
We would like to thank NATO Cyber Security Centre (NCSC) for their assistance in uncovering and addressing this vulnerability, in particular Roberto Suggi Liverani NCIA/NCSC and Justin Hocquel NCIA/NCSC.