Skip to main content

CVE-2025-54544: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in OpenSolution QuickCMS

Medium
VulnerabilityCVE-2025-54544cvecve-2025-54544cwe-79
Published: Thu Aug 28 2025 (08/28/2025, 10:12:42 UTC)
Source: CVE Database V5
Vendor/Project: OpenSolution
Product: QuickCMS

Description

QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AI-Powered Analysis

AILast updated: 08/28/2025, 10:33:01 UTC

Technical Analysis

CVE-2025-54544 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting OpenSolution's QuickCMS version 6.8. The vulnerability arises from improper neutralization of input during web page generation, specifically via the aDirFilesDescriptions parameter in the files editor functionality. An attacker with administrative privileges can inject arbitrary HTML and JavaScript code into the website content. This malicious code is then stored on the server and executed in the context of any user visiting the affected page. Although the default admin user is restricted from adding JavaScript directly, the vulnerability allows bypassing this limitation through the aDirFilesDescriptions parameter. The vendor was notified early but did not disclose details or affected version ranges beyond confirming version 6.8 as vulnerable. Other versions may also be susceptible but have not been tested. The CVSS 4.0 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or authentication, but does require user interaction (visiting the page). The vulnerability does not impact confidentiality, integrity, or availability directly but can be leveraged for session hijacking, phishing, or delivering malicious payloads to users. No known exploits are currently in the wild, and no patches have been released yet. This vulnerability falls under CWE-79, a common web application security weakness related to improper input sanitization and output encoding.

Potential Impact

For European organizations using QuickCMS version 6.8, this vulnerability poses a risk primarily to website visitors and administrators. An attacker exploiting this flaw could execute arbitrary scripts in users' browsers, potentially leading to session hijacking, credential theft, defacement, or distribution of malware. Since the vulnerability requires admin privileges to inject code, the initial compromise vector may involve social engineering or credential theft targeting administrators. The impact on confidentiality and integrity of user data is moderate, as attackers can manipulate client-side content and potentially steal sensitive information. Availability is not directly affected. Organizations in sectors with public-facing websites, such as government, education, and small to medium enterprises relying on QuickCMS, could face reputational damage and regulatory scrutiny under GDPR if user data is compromised. The lack of vendor response and patches increases the risk window. Additionally, the vulnerability could be leveraged in targeted attacks against European entities with QuickCMS deployments, especially where administrative controls are weak or credentials are reused.

Mitigation Recommendations

1. Immediate mitigation should focus on restricting administrative access to QuickCMS to trusted personnel only, enforcing strong, unique passwords and multi-factor authentication to reduce the risk of admin account compromise. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the aDirFilesDescriptions parameter, especially scripts or HTML tags. 3. Conduct thorough input validation and output encoding on all user-supplied content within QuickCMS, particularly in the files editor functionality. If possible, sanitize or strip HTML/JavaScript content from the aDirFilesDescriptions parameter. 4. Monitor website content changes and audit admin activities to detect unauthorized injections. 5. Isolate or sandbox the affected CMS environment to limit potential damage if exploitation occurs. 6. Engage with the vendor for patch release timelines and consider upgrading to newer versions once available. 7. Educate administrators about phishing and credential theft risks to prevent initial access. 8. If feasible, replace QuickCMS with a more secure CMS platform until a patch is released. 9. Regularly scan the website for XSS vulnerabilities using automated tools and manual testing.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
CERT-PL
Date Reserved
2025-07-24T13:28:55.490Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68b02cccad5a09ad006bf582

Added to database: 8/28/2025, 10:17:48 AM

Last enriched: 8/28/2025, 10:33:01 AM

Last updated: 8/28/2025, 11:20:28 AM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats