---

Security Bulletin #25-002 — DriveLock Operations Center (DOC): Cross-Site Scripting (CVE request)

---

---

First published: 2025-09-25

Last updated: 2025-09-26

CVE: CVE-2025-TBD

CVSS Score: CRITICAL 9.6 – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Affected product(s): DriveLock SE — DriveLock Operations Center (DOC) (see versions below)

Disclosure status: Coordinated

Vulnerability type / classification: Cross-Site Scripting (XSS) → Code Execution

Attack type: Remote

Attack vector: Network

---

Summary

In DriveLock Operations Center (DOC) 25.1.2 and 25.1.4, a cross-site scripting (XSS) vulnerability can be exploited remotely to execute malicious scripts and potentially take over user sessions.

Description

A cross-site scripting (XSS) flaw in the DOC web interface allows attackers to inject malicious code via crafted network requests. Successful exploitation may lead to session hijacking and arbitrary code execution in the context of the affected user.

Affected versions

• DriveLock 25.1.2 — vulnerable (fixed in 25.1.5)

• DriveLock 25.1.4 — vulnerable (fixed in 25.1.5)

Mitigation

Update to the patched version immediately.

Fixed in

• DriveLock 25.1.5

References

• CVE-2025-XXXXX — official record will be available on MITRE once published.

How to update your environment

• To ensure continued protection, an update to 25.1.5 is required.

Additionally, regardless of this specific issue, we always recommend using the latest release of DriveLock to benefit from ongoing improvements and security enhancements.

A CVE has been requested and is currently under review by an official CNA authority. We will inform you once it is published.

---