A serious security vulnerability has been discovered in MyCourts, the popular tennis court booking and league management platform used by clubs across the UK. The flaw, which has been assigned the identifier CVE-2025-57424, could have allowed attackers to hijack user sessions and gain unauthorised access to accounts.
What Happened?
Security researcher William Fieldhouse from Aardwolf Security uncovered a stored cross-site scripting (XSS) vulnerability in the MyCourts application. The weakness existed in an unexpected place: the LTA (Lawn Tennis Association) number field within user profiles.
The vulnerability received a CVSS score of 7.3, classifying it as high severity. Whilst the flaw has now been fixed, it serves as an important reminder about the importance of web application penetration testing.
How the Attack Worked
The vulnerability exploited a common web security issue: insufficient input validation. When users entered their LTA number in their profile settings, the application didn’t properly check or clean the data before storing it in the database.
An attacker could inject malicious JavaScript code into this field. When other users browsed the members directory and viewed the attacker’s profile, this code would execute in their browser. The attack chain worked like this:
- The attacker creates a profile with malicious code in the LTA number field
- Legitimate users browse to the attacker’s profile in the directory
- The malicious JavaScript automatically executes in the victim’s browser
- The script steals the victim’s session cookie
- The attacker uses the stolen session to access the victim’s account
What made this particularly dangerous was that MyCourts session cookies lacked the HttpOnly protection flag. This meant JavaScript could access these cookies, enabling the session hijacking attack.
The Real-World Risk
This wasn’t just a theoretical vulnerability. The exploitation scenario was straightforward and could have led to serious consequences:
Session Hijacking: Attackers could steal active administrator sessions, giving them complete control over club management functions.
Account Takeover: With stolen sessions, attackers could access administrative functions, modify bookings, change user details, or access financial information.
Persistent Access: Once captured, session tokens could be reused without re-authentication, allowing attackers to maintain long-term unauthorised access.
Data Breach: Full access to sensitive user information, booking data, and potentially payment details stored in the system.
The Good News
HBI Consulting Ltd, the vendor behind MyCourts, responded quickly and professionally to the disclosure. The vulnerability was reported in August 2025, and a fix was deployed in the same month as part of their regular monthly release cycle.
The remediation has been independently verified by Aardwolf Security, confirming that the stored XSS vulnerability has been successfully addressed.
What Tennis Clubs Should Do
If your organisation uses MyCourts, you should take the following actions:
Verify Your Version: Ensure you’re running the August 2025 release or later. Contact HBI Consulting Ltd if you’re unsure about your current version.
Review User Activity: Check for any suspicious account activity or unauthorised access during the vulnerability window.
Update Security Practices: Use this as an opportunity to review your overall security posture and ensure all web applications are kept up to date.
Lessons for Web Security
This vulnerability highlights several important security principles:
Input Validation Matters: Even seemingly innocuous fields like membership numbers need proper validation. Never trust user input.
Defence in Depth: Multiple security controls are essential. If the HttpOnly flag had been set on cookies, the impact of this XSS vulnerability would have been significantly reduced.
Output Encoding: All user-supplied data must be properly encoded before being displayed in web pages.
Regular Security Testing: Vulnerabilities can exist in unexpected places. Regular security assessments and code reviews are essential.
The Importance of Responsible Disclosure
This case demonstrates the value of responsible disclosure practices. The researcher worked collaboratively with the vendor, allowing time for a fix to be developed and deployed before publicly disclosing the details. This approach protects users whilst still bringing important security issues to light.
MyCourts users can now benefit from improved security thanks to this coordinated effort between security researchers and the vendor.
Moving Forward
Whilst this particular vulnerability has been resolved, it serves as a reminder that web application security requires ongoing attention. Organisations should prioritise security throughout their development lifecycle and implement comprehensive testing to identify and address vulnerabilities before they can be exploited.
The swift response from HBI Consulting Ltd and the thorough research by Aardwolf Security demonstrate how the security community can work together to protect users and improve software security.
Source: For full technical details including the proof of concept and remediation recommendations, read the original vulnerability disclosure.
About the Discoverer: This vulnerability was discovered by William Fieldhouse of Aardwolf Security during security research conducted in August 2025.
