Unauthenticated reflected cross-site scripting in `Server` parameter in Ts3 manager <=v2.2.1 .
CVE
CVE-2025-61583
Product
TS3 manager
Published
10/1/2025
Researcher
Krishna Agarwal, Swapnil Ade
Summary
A reflected cross-site scripting (XSS) vulnerability was identified in TS3 Manager versions 2.2.1 and earlier due to improper handling of user-supplied input in the login error mechanism. Malicious JavaScript embedded in the Server hostname field is reflected back to the client without sanitization and rendered directly in the browser, allowing script execution in the victim’s context.
Proof of Concept
Authentication: Unauthenticated
- In the
Serverfield, input a cross-site scripting payload and fill other fields such as username and password. - click on connect
- Observe payload gets executed
Remediation
This vulnerability has been addressed in TS3 Manager version 2.2.2 and later.