CVE-2025-55887 PoC — ARD GEC en Ligne 安全漏洞

Source

https://github.com/0xZeroSec/CVE-2025-55887

Associated Vulnerability

Title:ARD GEC en Ligne 安全漏洞 (CVE-2025-55887)
Description:Cross-Site Scripting (XSS) vulnerability was discovered in the meal reservation service ARD. The vulnerability exists in the transactionID GET parameter on the transaction confirmation page. Due to improper input validation and output encoding, an attacker can inject malicious JavaScript code that is executed in the context of a user s browser. This can lead to session hijacking, theft of cookies, and other malicious actions performed on behalf of the victim.

Readme

# CVE-2025-55887
### Description
Cross-Site Scripting (XSS) vulnerability was discovered in the meal
reservation service ARD. The vulnerability exists in the transactionID
GET parameter on the transaction confirmation page. Due to improper
input validation and output encoding, an attacker can inject malicious
JavaScript code that is executed in the context of a user s browser.
This can lead to session hijacking, theft of cookies, and other
malicious actions performed on behalf of the victim.

### Proof Of Concept

**Payload**
```
https://services.ard.fr/index.php?id=5869&ocid=183&token=1SemPugSUq3maSpK81871559797854161&transactionID=<script>alert(/OPENBUGBOUNTY/)</script>
```

**Screenshot of vulnerability**
![Screenshot of vulnerability](https://www.openbugbounty.org/twimages/screen-4024708.jpg)

### Reseachers
- [raphckrman](https://github.com/raphckrman)

File Snapshot


 [4.0K]  /data/pocs/fad95608b3c576e4b1aad2c279d400913cc34845
└── [ 870]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!