•
MEDIUM Severity
CVE-2025-48051
XSS vulnerability in Lila (for Lichess)
Overview
The powertip.ts in Lila (for Lichess) has a cross-site scripting (XSS) vulnerability due to the use of innerHTML which could allow an attacker to inject arbitrary web script or HTML.
Technical Details
The issue exists because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML. This vulnerability could potentially enable an attacker to execute arbitrary script code in a user's browser within the trust relationship.
CVSS Metrics
- Base Score: 4.7
- Base Severity: MEDIUM
- Attack Vector: NETWORK
- Attack Complexity: HIGH
- Privileges Required: NONE
- User Interaction: REQUIRED
- Scope: CHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: NONE
Impact
If exploited, this vulnerability allows an attacker to perform actions in the security context of the victim user, leading to unauthorized access or data theft.
Recommendations
- Update to the latest version of Lila (for Lichess) that has the fix.
- Always escape data before presenting it to users to prevent XSS attacks.
- Implement a content security policy (CSP).
Threat Metrics
- cvss_score: 4.7
- severity: MEDIUM
- attack_vector: NETWORK
- attack_complexity: HIGH