High-Severity stored XSS reported in MyCourts platform, can be combined to steal session cookies
Take action: If you are using MyCourts platform, this one is urgent. The exploit is trivial and can be coded with ChatGPT, and now the vulnerability is public. Your systems will be hacked.
Learn More
HBI Consulting Ltd has patched a high-severity stored cross-site scripting (XSS) vulnerability in MyCourts, a platform for tennis court booking and league management. The flaw allows attackers to execute arbitrary JavaScript code in users' browsers, potentially leading to complete session hijacking and unauthorized account access.
The vulnerability is tracked as CVE-2025-57424 (CVSS score 7.3) is a field for the LTA (Lawn Tennis Association) number in user profile settings that was not sanitized. When malicious JavaScript code was inserted into the LTA number field, it would be permanently stored in the database and executed whenever other users viewed the attacker's profile through the members directory at /directory.asp.
The severity of CVE-2025-57424 is amplified by the absence of the HttpOnly flag on session cookies. This means that an attacker can craft an XSS code that will be stored on the server and executed to steal the session cookie (effectively steal access) from the victim.
This could potentially lead to complete account takeover, access to sensitive user information and booking data, privilege escalation from low-privileged to high-privileged accounts, and broader compromise of the MyCourts instances.
Affected versions of MyCourts include all releases prior to the August 2025 update. MyCourts does not utilize traditional version numbering, instead releasing updates on a monthly basis, which means that any instance not running the August 2025 release or later remain vulnerable to exploitation.
