Platform
php
Component
vulnerability-research
Fixed in
4.1.4
CVE-2025-1548 is a cross-site scripting (XSS) vulnerability affecting Dreamer CMS versions 4.1.3–4.1.3. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. The vulnerability resides in the /admin/archives/edit file and is triggered by manipulating the editorValue/answer/content parameter. A fix is available in version 4.1.4.
Successful exploitation of CVE-2025-1548 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the website, and theft of sensitive information like login credentials or personal data. The impact is particularly severe for administrative users, as their accounts could be compromised, granting the attacker full control over the Dreamer CMS installation. Given the public disclosure of this vulnerability, it is crucial to apply the patch promptly to prevent exploitation.
CVE-2025-1548 has been publicly disclosed, increasing the risk of exploitation. The vulnerability is considered LOW severity according to CVSS. Public proof-of-concept exploits are likely to emerge, making it easier for attackers to exploit the flaw. The vulnerability was disclosed on 2025-02-21, and the vendor did not respond. No KEV listing is currently available.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1548 is to upgrade Dreamer CMS to version 4.1.4 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the editorValue/answer/content parameter to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Review access logs for suspicious activity related to the /admin/archives/edit endpoint. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the editorValue/answer/content parameter and verifying that it is properly sanitized.
Update Dreamer CMS to a version later than 4.1.3, if one exists, that fixes the XSS vulnerability. If no version is available, consider disabling or removing the CMS until a fix is released. As a temporary measure, you can implement input filtering rules on the web server to block common XSS attack patterns.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1548 is a cross-site scripting vulnerability in Dreamer CMS versions 4.1.3–4.1.3, allowing attackers to inject malicious scripts via the /admin/archives/edit endpoint.
You are affected if you are running Dreamer CMS version 4.1.3. Upgrade to 4.1.4 to mitigate the risk.
Upgrade Dreamer CMS to version 4.1.4 or later. Implement input validation and sanitization as a temporary workaround.
The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the Dreamer CMS website or official communication channels for the advisory regarding CVE-2025-1548.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.