Coohom SaaS Cross Site Scripting

Coohom, a SaaS platform for interior design and 3D rendering, Coohom, a SaaS platform for interior design and 3D rendering, was found vulnerable to Cross-Site Scripting (XSS) attacks. This allowed malicious actors to inject client-side scripts into web pages viewed by other Coohom users.

The vulnerability typically arose from insufficient sanitization of user-supplied data in fields like project descriptions, comments, or profile sections. When a victim user accessed a page containing the injected script, the malicious code would execute within their browser.

Potential impacts included session hijacking (stealing authentication cookies), defacing web content, redirecting users to phishing sites, or stealing sensitive data accessible to the script. Such XSS flaws undermine user trust and data integrity in SaaS environments. Resolution involved implementing robust input validation and output encoding to neutralize malicious scripts before rendering.

# CVE-2025-65300

[Description]

CVE-2025-65300: Stored Cross-Site Scripting (XSS) Vulnerability in Coohom SaaS Platform

Disclosure Date: 2025-10-28
Last Updated: 2025-10-28
Reporter: Phisit Pupiw
Vendor: Coohom
CWE: CWE-79 ? Cross-Site Scripting

------------------------------------------

[Summary]

A stored Cross-Site Scripting (XSS) vulnerability was identified in the Coohom SaaS Platform within the Account Settings ? Profile ? Address module. User-supplied input stored in the City, State, and Country/Region fields is rendered back to the client without proper sanitization or context-aware output encoding.
This allows attackers to store malicious JavaScript payloads that execute whenever the affected profile area is viewed.
The issue affects production build feVersion=1760060603897 (verified on 2025-10-28).

------------------------------------------

[Vulnerability Details]

The frontend renders user data directly from "window.SAAS_ENV.userInfo.{city, state, country}" without sanitization or escaping, causing stored XSS when injected payloads are stored in the database and later displayed in the UI.
Example Malicious Payload "</script><script>alert(document.cookie)</script>" When this payload is entered into the City field, saved, and the profile page is reloaded, arbitrary JavaScript executes in the victim?s browser.

------------------------------------------

[Affected Components]

Module: Account Settings ? Profile ? Address fields
Fields: city, state, country
Frontend Build Affected: feVersion=1760060603897
Production URL: https://www.coohom.com/pub/saas/settings/account

------------------------------------------

[Impact]

An attacker can perform the following:
- Execute arbitrary JavaScript in the victim?s browser
- Steal session cookies (subject to browser protections)
- Perform actions on behalf of the victim
- Redirect users or inject malicious content
- Persist malicious scripts affecting all future views

------------------------------------------

[Attack Vector]

- Access Required: Authenticated user
- Attack Type: Remote
- User Interaction: Viewing affected profile page

------------------------------------------

[Attack Flow]

1. Attacker signs in or registers a Coohom account
2. Navigates to Account Settings ? Profile ? Address
3. Inserts malicious payload into City, State, or Country/Region
4. Saves the form
5. Script executes whenever the profile section is rendered

------------------------------------------

[Proof of Concept (PoC)]

Steps to Reproduce
1. Login to Coohom (https://www.coohom.com)
2. Open Account Settings ? Profile ? Address
3. Input the payload below into the City field "</script><script>alert(document.cookie)</script>"
4. Save and refresh the page
5. JavaScript executes immediately ? confirming stored

------------------------------------------

[Recommendation]

- Sanitize input on save
- Reject HTML tags and dangerous attributes
- HTML-encode
- JavaScript-encode
- Attribute-encode
- Implement Content-Security-Policy (CSP)
- Disable inline scripts with script-src 'self'

------------------------------------------

[References]

- https://www.coohom.com/pub/saas/settings/account
- CVE record status (MITRE): CVE-2025-65300 (RESERVED)

------------------------------------------

[Credits]

Discovered by : Phisit Pupiw