exploitDog

CVE-2025-63589

Опубликовано: 06 нояб. 2025

Источник: nvd

CVSS3: 7.1

EPSS Низкий

Описание

A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.

Ссылки

https://github.com/cmsimple-xh/cmsimple-xh/blob/master/index.php
Product
https://github.com/cybercrewinc/CVE-2025-63589
Exploit
Third Party Advisory
https://github.com/cybercrewinc/CVE-2025-63589
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cmsimple-xh:cmsimple_xh:1.8.0:-:*:*:*:*:*:*

EPSS

Процентиль: 21%

0.0007

Низкий

7.1 High

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-vjvr-7hrq-r8p6

CVSS3: 7.1

github

3 месяца назад

A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.

EPSS

Процентиль: 21%

0.0007

Низкий

7.1 High

CVSS3

Дефекты

CWE-79