Gratis scannen
LOWCVE-2025-13182CVSS 3.5

pojoin h3blog addtitle cross site scripting

wordt vertaald…

Platform

php

Component

cve-md

Opgelost in

1.0.1

AI Confidence: highNVDEPSS 0.1%Beoordeeld: mei 2026
Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

CVE-2025-13182 describes a cross-site scripting (XSS) vulnerability affecting pojoin h3blog version 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the Title argument of the /admin/cms/category/addtitle file. A public proof-of-concept is available, indicating a heightened risk of exploitation.

Impact en Aanvalsscenarioswordt vertaald…

Successful exploitation of CVE-2025-13182 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including stealing session cookies, redirecting users to phishing sites, or modifying the content displayed on the h3blog platform. Given the administrative nature of the affected file (/admin/cms/category/addtitle), an attacker who gains access could potentially compromise the entire h3blog instance and its associated data. The availability of a public proof-of-concept significantly lowers the barrier to entry for attackers.

Uitbuitingscontextwordt vertaald…

CVE-2025-13182 has been publicly disclosed and a proof-of-concept is available, indicating a moderate risk of exploitation. The vulnerability was published on 2025-11-14. The LOW CVSS score reflects the relatively simple exploitation path and potential impact, but the public PoC elevates the risk. No KEV listing or confirmed exploitation campaigns are currently known.

Wie Loopt Risicowordt vertaald…

Administrators and users of pojoin h3blog version 1.0 are at risk. Shared hosting environments that utilize this software are particularly vulnerable, as attackers may be able to exploit the vulnerability through other tenants on the same server. Users who haven't implemented robust input validation practices are also at increased risk.

Detectiestappenwordt vertaald…

• php / server:

grep -r "/admin/cms/category/addtitle" /var/www/html/*

• generic web:

curl -I http://your-h3blog-site.com/admin/cms/category/addtitle | grep -i "x-xss-protection"

Aanvalstijdlijn

  1. Disclosure

    disclosure

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

EPSS

0.06% (20% percentiel)

CISA SSVC

Exploitatiepoc
Automatiseerbaarno
Technische Impactpartial

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R3.5LOWAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredLowVereist authenticatieniveau voor aanvalUser InteractionRequiredOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityNoneRisico op blootstelling van gevoelige dataIntegrityLowRisico op ongeautoriseerde gegevenswijzigingAvailabilityNoneRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Laag — elk geldig gebruikersaccount is voldoende.
User Interaction
Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Geen — geen vertrouwelijkheidsimpact.
Integrity
Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
Availability
Geen — geen beschikbaarheidsimpact.

Getroffen Software

Componentcve-md
Leverancierpojoin
Getroffen bereikOpgelost in
1.0 – 1.01.0.1

Zwakheidsclassificatie (CWE)

CWE-79CWE-94

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd
  3. Gewijzigd
  4. EPSS bijgewerkt
Geen patch — 191 dagen na openbaarmaking

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2025-13182 is to upgrade to a patched version of pojoin h3blog. Since no fixed version is specified, it's crucial to consult the vendor's official advisory for the latest release. As a temporary workaround, implement strict input validation and output encoding on the Title field within /admin/cms/category/addtitle. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update WAF rules to ensure they are effective against emerging XSS techniques.

Hoe te verhelpenwordt vertaald…

Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la inyección de código XSS en el campo Title al agregar una categoría.

CVE Beveiligingsnieuwsbrief

Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.

Veelgestelde vragenwordt vertaald…

What is CVE-2025-13182 — XSS in pojoin h3blog?

CVE-2025-13182 is a cross-site scripting (XSS) vulnerability in pojoin h3blog version 1.0, allowing attackers to inject malicious scripts via the Title argument in /admin/cms/category/addtitle.

Am I affected by CVE-2025-13182 in pojoin h3blog?

If you are using pojoin h3blog version 1.0, you are potentially affected by this vulnerability. Upgrade to the latest version as soon as possible.

How do I fix CVE-2025-13182 in pojoin h3blog?

Upgrade to a patched version of pojoin h3blog. Consult the vendor's official advisory for the latest release. Implement input validation and output encoding as a temporary workaround.

Is CVE-2025-13182 being actively exploited?

A public proof-of-concept exists, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.

Where can I find the official pojoin advisory for CVE-2025-13182?

Consult the pojoin website or security mailing lists for the official advisory regarding CVE-2025-13182.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken