CVE-2025-11289
1.9
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow more
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: CNA (Secondary)
Description
A vulnerability was determined in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. The impacted element is the function Save of the file src/main/java/com/zhiliao/common/template/TemplateFileServiceImpl.java of the component Template Management Page. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Affected (1)
Products: Westboy: Cicadascms
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.0 |
Related CWEs
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
References (6)
Source: cna@vuldb.com
ExploitThird Party Advisory
Source: cna@vuldb.com
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitThird Party Advisory
Timeline
No history available yet.