CVE-2025-71165

Description

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:typesettercms:typesetter:*:*:*:*:*:*:*:* - VULNERABLE

Typesetter CMS <= 5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

GET /admin/Tools/Status.php?path=<script>alert(document.cookie)</script> HTTP/1.1

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71165
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71165
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71165/
[4] VulDB https://vuldb.com/cve/CVE-2025-71165
[5] https://github.com/Typesetter/Typesetter
[6] https://github.com/Typesetter/Typesetter/issues/709
[7] https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71165", "sourceIdentifier": "[email protected]", "published": "2026-01-14T19:16:47.157", "lastModified": "2026-01-21T20:46:37.103", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session."}, {"lang": "es", "value": "Las versiones de Typesetter CMS hasta la 5.1 inclusive contienen una vulnerabilidad de cross-site scripting (XSS) reflejado en la interfaz administrativa dentro de la funcionalidad de Estado de Herramientas. El parámetro path se refleja en la respuesta HTML sin una codificación de salida adecuada en include/admin/Tools/Status.PHP. Un atacante autenticado puede proporcionar una entrada manipulada que contenga HTML o JavaScript, lo que resulta en la ejecución arbitraria de scripts en el contexto de la sesión del navegador de un usuario autenticado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:typesettercms:typesetter:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.1", "matchCriteriaId": "D9D43099-0ED9-43B1-8E20-543958026BEF"}]}]}], "references": [{"url": "https://github.com/Typesetter/Typesetter", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Typesetter/Typesetter/issues/709", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}