Platform
php
Component
agency-code-repo
Fixed in
61.0.1
CVE-2019-25156 is a problematic cross-site scripting (XSS) vulnerability identified in Agency versions up to 61. This vulnerability allows attackers to inject malicious scripts into the application through manipulation of the QSType/QuickSearch argument within the file search functionality. Affected users should upgrade to version 61.0.1 to resolve this issue.
Successful exploitation of CVE-2019-25156 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to the theft of sensitive information, such as session cookies, authentication tokens, and personal data. An attacker could also redirect users to malicious websites, deface the application, or perform other actions on behalf of the victim. The impact is primarily focused on user interaction and data exposure, with potential for broader compromise depending on the application's functionality and data sensitivity.
This vulnerability was disclosed in 2019 and has been documented in the VDB as VDB-244495. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the potential impact warrant attention. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the vulnerability remains a potential risk if not addressed. Public proof-of-concept exploits are not widely available, but the vulnerability is easily reproducible.
Exploit Status
EPSS
0.13% (32% percentile)
CVSS Vector
The primary mitigation for CVE-2019-25156 is to upgrade Agency to version 61.0.1 or later, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the QSType/QuickSearch parameter to prevent malicious input from being processed. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the file search functionality and verifying that it is not executed.
Apply the provided patch in commit 975b56953efabb434519d9feefcc53685fb8d0ab to the search.php file. Review the affected code to ensure that user input in the QSType and QuickSearch parameters is properly sanitized to prevent XSS attacks. Update to a later version if available.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25156 is a cross-site scripting (XSS) vulnerability affecting Agency versions up to 61, allowing attackers to inject malicious scripts through the file search functionality.
Yes, if you are using Agency version 61 or earlier, you are vulnerable to this XSS attack. Upgrade to version 61.0.1 to mitigate the risk.
The recommended fix is to upgrade Agency to version 61.0.1 or later. Input validation and WAF rules can provide temporary protection.
While no widespread exploitation has been publicly reported, the vulnerability's ease of exploitation means it remains a potential risk.
Refer to the vendor's documentation and security advisories for Agency, and check the VDB entry (VDB-244495) for more details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.