Platform
other
Component
opencms
Opgelost in
2.2.1
A cross-site scripting (XSS) vulnerability has been identified in OpenCms versions 2.2 through 2.2. This flaw resides within the Add Model Management Page, specifically affecting the handling of the 模板前缀 parameter. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability was publicly disclosed on January 24, 2025, and a patch is available in version 2.2.1.
The XSS vulnerability in OpenCms allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user credentials, redirect users to malicious websites, or deface the website. The attack is initiated remotely, meaning an attacker does not need to be authenticated to exploit the vulnerability. The impact can range from minor annoyance to complete account takeover, depending on the attacker's skill and the privileges of the affected user. Given the nature of XSS, the potential for lateral movement is limited, but the attacker could potentially use stolen credentials to access other systems within the network if those systems use the same credentials.
This vulnerability was publicly disclosed on January 24, 2025. A public proof-of-concept is likely to emerge given the ease of exploitation of XSS vulnerabilities. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation in the absence of a readily available exploit. It is not currently listed on the CISA KEV catalog.
Organizations running OpenCms version 2.2 are at risk. Specifically, those with publicly accessible administration interfaces or those who allow user-supplied data to be directly reflected in web pages are particularly vulnerable. Shared hosting environments utilizing OpenCms may also be affected, as vulnerabilities in one user's installation can potentially impact others.
• generic web: Use curl or wget to test the /admin/model/addOrUpdate endpoint with a simple XSS payload in the 模板前缀 parameter. Check the response for signs of script execution.
curl -X POST /admin/model/addOrUpdate --data "模板前缀=<script>alert('XSS')</script>"• generic web: Examine web server access logs for requests to /admin/model/addOrUpdate containing suspicious characters or patterns in the 模板前缀 parameter.
• generic web: Review response headers for any unexpected content or modifications that could indicate XSS activity.
disclosure
Exploit Status
EPSS
0.15% (36% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-0708 is to upgrade OpenCms to version 2.2.1 or later, which contains the fix. If upgrading immediately is not possible, consider implementing input validation on the 模板前缀 parameter to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS attacks can provide an additional layer of protection. Monitor web server access logs for suspicious activity, such as unusual requests containing JavaScript code. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into the 模板前缀 field and verifying that it is not executed.
Actualice a una versión parcheada de opencms que solucione la vulnerabilidad XSS. Si no hay una versión disponible, revise el código de la función addOrUpdate en /admin/model/addOrUpdate y filtre o escapee correctamente la entrada del parámetro 模板前缀 para evitar la inyección de código malicioso.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-0708 is a cross-site scripting (XSS) vulnerability affecting OpenCms versions 2.2 through 2.2. It allows attackers to inject malicious scripts via the 模板前缀 parameter in the Add Model Management Page.
You are affected if you are running OpenCms version 2.2. Versions prior to 2.2.1 are vulnerable to this XSS attack.
Upgrade OpenCms to version 2.2.1 or later to resolve the vulnerability. Input validation and WAF rules can provide temporary mitigation.
While exploitation is not currently confirmed, the public disclosure and ease of XSS exploitation suggest active exploitation is possible.
Refer to the OpenCms security advisories page for the latest information and official announcements regarding CVE-2025-0708.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.