CVE-2025-11291: Reflected Cross-Site-Scripting (XSS) in IXMaps.ca 

**Affected software: (Code)**
https://github.com/ixmaps/website2017

**Affected software: (Actual live URL)**
https://www.ixmaps.ca/


**Issue:**
A reflected cross-site scripting (XSS) vulnerability exists in the site at https://www.ixmaps.ca/ that enables a remote attacker to execute arbitrary JavaScript code in the user's browser.


**Steps to Reproduce:**
Visit https://www.ixmaps.ca/, and send the payload shown below in the 'trid' parameter.

<img width="782" height="343" alt="Image" src="https://github.com/user-attachments/assets/54f9d5d1-f7b5-4ab4-8589-bc94619c9996" />

Notice that the payload has been reflected in the response.

<img width="781" height="567" alt="Image" src="https://github.com/user-attachments/assets/ad4f6196-b7ff-4be8-bdd7-d78028f567e4" />


**Alternative payload to send in 'trid' parameter:**
%3cscript%3ealert('456')%3c%2fscript%3enp9ly%3cscript%3ealert(1)%3c%2fscript%3egrkmm

**Vulnerable Portion of Code:**

<img width="1152" height="1087" alt="Image" src="https://github.com/user-attachments/assets/6c6458ae-ee95-4f9c-9717-7dc7b8d63729" />


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2025-11291: Reflected Cross-Site-Scripting (XSS) in IXMaps.ca #2

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CVE-2025-11291: Reflected Cross-Site-Scripting (XSS) in IXMaps.ca #2

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions