A cross-site scripting (XSS) vulnerability has been identified in OpenCms versions 2.2 through 2.2. This flaw resides within the Add Model Management Page, specifically affecting the handling of the 模板前缀 parameter. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability was publicly disclosed on January 24, 2025, and a patch is available in version 2.2.1.
The XSS vulnerability in OpenCms allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user credentials, redirect users to malicious websites, or deface the website. The attack is initiated remotely, meaning an attacker does not need to be authenticated to exploit the vulnerability. The impact can range from minor annoyance to complete account takeover, depending on the attacker's skill and the privileges of the affected user. Given the nature of XSS, the potential for lateral movement is limited, but the attacker could potentially use stolen credentials to access other systems within the network if those systems use the same credentials.
This vulnerability was publicly disclosed on January 24, 2025. A public proof-of-concept is likely to emerge given the ease of exploitation of XSS vulnerabilities. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation in the absence of a readily available exploit. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0708 is to upgrade OpenCms to version 2.2.1 or later, which contains the fix. If upgrading immediately is not possible, consider implementing input validation on the 模板前缀 parameter to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS attacks can provide an additional layer of protection. Monitor web server access logs for suspicious activity, such as unusual requests containing JavaScript code. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into the 模板前缀 field and verifying that it is not executed.
Update to a patched version of opencms that fixes the XSS vulnerability. If no version is available, review the code of the addOrUpdate function in /admin/model/addOrUpdate and correctly filter or escape the input of the 模板前缀 (Template Prefix) parameter to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0708 is a cross-site scripting (XSS) vulnerability affecting OpenCms versions 2.2 through 2.2. It allows attackers to inject malicious scripts via the 模板前缀 parameter in the Add Model Management Page.
You are affected if you are running OpenCms version 2.2. Versions prior to 2.2.1 are vulnerable to this XSS attack.
Upgrade OpenCms to version 2.2.1 or later to resolve the vulnerability. Input validation and WAF rules can provide temporary mitigation.
While exploitation is not currently confirmed, the public disclosure and ease of XSS exploitation suggest active exploitation is possible.
Refer to the OpenCms security advisories page for the latest information and official announcements regarding CVE-2025-0708.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.