A critical safety vulnerability has been found in MyCourts, the favored tennis court docket reserving and league administration platform utilized by golf equipment throughout the UK. The flaw, which has been assigned the identifier CVE-2025-57424, might have allowed attackers to hijack consumer classes and acquire unauthorised entry to accounts.
What Occurred?
Safety researcher William Fieldhouse from Aardwolf Safety uncovered a saved cross-site scripting (XSS) vulnerability within the MyCourts utility. The weak spot existed in an sudden place: the LTA (Garden Tennis Affiliation) quantity subject inside consumer profiles.
The vulnerability obtained a CVSS rating of seven.3, classifying it as excessive severity. While the flaw has now been fastened, it serves as an essential reminder in regards to the significance of net utility penetration testing.
How the Assault Labored
The vulnerability exploited a typical net safety subject: inadequate enter validation. When customers entered their LTA quantity of their profile settings, the applying didn’t correctly examine or clear the information earlier than storing it within the database.
An attacker might inject malicious JavaScript code into this subject. When different customers browsed the members listing and considered the attacker’s profile, this code would execute of their browser. The assault chain labored like this:
- The attacker creates a profile with malicious code within the LTA quantity subject
- Authentic customers browse to the attacker’s profile within the listing
- The malicious JavaScript mechanically executes within the sufferer’s browser
- The script steals the sufferer’s session cookie
- The attacker makes use of the stolen session to entry the sufferer’s account
What made this notably harmful was that MyCourts session cookies lacked the HttpOnly safety flag. This meant JavaScript might entry these cookies, enabling the session hijacking assault.
The Actual-World Danger
This wasn’t only a theoretical vulnerability. The exploitation situation was simple and will have led to critical penalties:
Session Hijacking: Attackers might steal lively administrator classes, giving them full management over membership administration features.
Account Takeover: With stolen classes, attackers might entry administrative features, modify bookings, change consumer particulars, or entry monetary info.
Persistent Entry: As soon as captured, session tokens might be reused with out re-authentication, permitting attackers to keep up long-term unauthorised entry.
Knowledge Breach: Full entry to delicate consumer info, reserving knowledge, and probably cost particulars saved within the system.
The Good Information
HBI Consulting Ltd, the seller behind MyCourts, responded rapidly and professionally to the disclosure. The vulnerability was reported in August 2025, and a repair was deployed in the identical month as a part of their common month-to-month launch cycle.
The remediation has been independently verified by Aardwolf Safety, confirming that the saved XSS vulnerability has been efficiently addressed.
What Tennis Golf equipment Ought to Do
In case your organisation makes use of MyCourts, it is best to take the next actions:
Confirm Your Model: Make sure you’re operating the August 2025 launch or later. Contact HBI Consulting Ltd in the event you’re uncertain about your present model.
Evaluate Person Exercise: Examine for any suspicious account exercise or unauthorised entry through the vulnerability window.
Replace Safety Practices: Use this as a possibility to assessment your general safety posture and guarantee all net purposes are saved updated.
Classes for Net Safety
This vulnerability highlights a number of essential safety rules:
Enter Validation Issues: Even seemingly innocuous fields like membership numbers want correct validation. By no means belief consumer enter.
Defence in Depth: A number of safety controls are important. If the HttpOnly flag had been set on cookies, the affect of this XSS vulnerability would have been considerably decreased.
Output Encoding: All user-supplied knowledge should be correctly encoded earlier than being displayed in net pages.
Common Safety Testing: Vulnerabilities can exist in sudden locations. Common safety assessments and code evaluations are important.
The Significance of Accountable Disclosure
This case demonstrates the worth of accountable disclosure practices. The researcher labored collaboratively with the seller, permitting time for a repair to be developed and deployed earlier than publicly disclosing the small print. This method protects customers while nonetheless bringing essential safety points to gentle.
MyCourts customers can now profit from improved safety due to this coordinated effort between safety researchers and the seller.
Shifting Ahead
While this explicit vulnerability has been resolved, it serves as a reminder that net utility safety requires ongoing consideration. Organisations ought to prioritise safety all through their improvement lifecycle and implement complete testing to determine and deal with vulnerabilities earlier than they are often exploited.
The swift response from HBI Consulting Ltd and the thorough analysis by Aardwolf Safety reveal how the safety neighborhood can work collectively to guard customers and enhance software program safety.
Supply: For full technical particulars together with the proof of idea and remediation suggestions, learn the unique vulnerability disclosure.
Concerning the Discoverer: This vulnerability was found by William Fieldhouse of Aardwolf Safety throughout safety analysis performed in August 2025.
