Plateforme
php
Corrigé dans
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
A cross-site scripting (XSS) vulnerability has been identified in FoxCMS versions 1.2.0 through 1.2.16. This flaw resides within the add/edit function of the Product.php file, specifically concerning the Title argument. Successful exploitation allows attackers to inject malicious scripts, potentially compromising user sessions and website integrity. A fix is available in version 1.2.10.
The XSS vulnerability in FoxCMS allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit a page containing the injected script. An attacker could leverage this to steal session cookies, redirect users to malicious websites, deface the website, or execute other malicious actions. The ability to initiate the attack remotely significantly increases the potential impact, as it doesn't require any prior access to the system. Given the public availability of an exploit, the risk of immediate exploitation is elevated.
The vulnerability details and an exploit have been publicly disclosed, increasing the likelihood of exploitation. The CVE was published on 2025-11-09. The vendor was contacted but did not respond, which may indicate a lack of ongoing support for older versions of FoxCMS. The low CVSS score reflects the relatively limited impact and ease of mitigation, but the public exploit makes it a priority for patching.
Organizations and individuals using FoxCMS versions 1.2.0 through 1.2.16 are at risk. This includes websites and applications built on FoxCMS, particularly those with user-generated content or where user input is not properly validated. Shared hosting environments using FoxCMS are also at increased risk due to the potential for cross-tenant exploitation.
• php / web:
grep -r "app/admin/controller/Product.php" /var/www/html/• php / web:
curl -I http://your-foxcms-site.com/admin/product/add | grep -i "X-XSS-Protection"• generic web:
curl -I http://your-foxcms-site.com/admin/product/add | grep -i "content-security-policy"disclosure
poc
Statut de l'Exploit
EPSS
0.08% (percentile 23%)
CISA SSVC
The primary mitigation for CVE-2025-12920 is to upgrade FoxCMS to version 1.2.10 or later, which contains the fix for this vulnerability. If an immediate upgrade is not possible, consider implementing input validation and sanitization on the Title field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Regularly review and update your WAF rules to ensure they are effective against known XSS patterns.
Actualice FoxCMS a la versión 1.2.17 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) en la función de edición de productos. La actualización se puede realizar descargando la última versión del sitio web oficial y reemplazando los archivos existentes.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-12920 is a cross-site scripting (XSS) vulnerability affecting FoxCMS versions 1.2.0 through 1.2.16, allowing attackers to inject malicious scripts.
You are affected if you are using FoxCMS versions 1.2.0 to 1.2.16. Check your version and upgrade immediately if vulnerable.
Upgrade FoxCMS to version 1.2.10 or later to resolve the vulnerability. Implement input validation as a temporary workaround.
A public proof-of-concept exists, indicating a high probability of active exploitation.
Due to lack of vendor response, an official advisory may not be available. Monitor security news sources and vulnerability databases for updates.
1.2.14
1.2.15
1.2.16
1.2.17
Vecteur CVSS
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.