Key Information Vulnerability ID CVE-2025-62662 Vulnerability Type Stored XSS through system messages in AdvancedSearch Affected Versions Version(s): 1.4.2.x (up to 1.4.2.0) Affected: Yes Fixed: No Description Nginx system messages are returned as HTML by the AdvancedSearch resource, allowing for stored XSS. Reproduction Steps 1. Take a screenshot. 2. View an advanced search page in Firefox. 3. Click on "Advanced Search" and then click on "Save". 4. A markup of data is shown by the /system/messages/advancedsearch resource: - advancedsearch-field-advancedsearch - advancedsearch-field-help - advancedsearch-field-new - advancedsearch-field-old - advancedsearch-field-range - advancedsearch-field-subject - advancedsearch-field-author - advancedsearch-field-content Root Cause The message is converted at this place, which does not escape the contents and converts the break into a tag. It has been introduced with 1.4.2.0. Additional Information Author: Willem Vanhaelen (@ Packt) Related Changes: In OpenSearch Mentions: Security Prior To Deploy on the Security Team Board Tags: #SecurityTeam, #Vulnerability, #XSS Technologies: Nginx, JavaScript, HTML