平台
php
组件
agency-code-repo
修复版本
61.0.1
CVE-2019-25156 is a problematic cross-site scripting (XSS) vulnerability identified in Agency versions up to 61. This vulnerability allows attackers to inject malicious scripts into the application through manipulation of the QSType/QuickSearch argument within the file search functionality. Affected users should upgrade to version 61.0.1 to resolve this issue.
Successful exploitation of CVE-2019-25156 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to the theft of sensitive information, such as session cookies, authentication tokens, and personal data. An attacker could also redirect users to malicious websites, deface the application, or perform other actions on behalf of the victim. The impact is primarily focused on user interaction and data exposure, with potential for broader compromise depending on the application's functionality and data sensitivity.
This vulnerability was disclosed in 2019 and has been documented in the VDB as VDB-244495. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the potential impact warrant attention. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the vulnerability remains a potential risk if not addressed. Public proof-of-concept exploits are not widely available, but the vulnerability is easily reproducible.
Organizations using Agency version 61 or earlier are at risk. This includes those deploying Agency in shared hosting environments, as vulnerabilities can be exploited through cross-site scripting attacks. Users who rely on Agency for file management and search functionality are particularly vulnerable.
• php: Examine the search.php file for unsanitized input handling of the QSType parameter. Search for instances where user input is directly outputted to the HTML without proper encoding.
// Example of vulnerable code
<?php
echo $_GET['QSType']; // Vulnerable to XSS
?>• generic web: Monitor access logs for unusual requests targeting search.php with suspicious parameters in the QSType query string. Look for patterns indicative of XSS payloads.
grep 'QSType=<script>' access.logdiscovery
disclosure
public disclosure
漏洞利用状态
EPSS
0.13% (32% 百分位)
CVSS 向量
The primary mitigation for CVE-2019-25156 is to upgrade Agency to version 61.0.1 or later, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the QSType/QuickSearch parameter to prevent malicious input from being processed. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the file search functionality and verifying that it is not executed.
Aplicar el parche proporcionado en el commit 975b56953efabb434519d9feefcc53685fb8d0ab al archivo search.php. Revisar el código afectado para asegurar que la entrada del usuario en los parámetros QSType y QuickSearch se sanitice correctamente para prevenir ataques XSS. Actualizar a una versión posterior si está disponible.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-25156 is a cross-site scripting (XSS) vulnerability affecting Agency versions up to 61, allowing attackers to inject malicious scripts through the file search functionality.
Yes, if you are using Agency version 61 or earlier, you are vulnerable to this XSS attack. Upgrade to version 61.0.1 to mitigate the risk.
The recommended fix is to upgrade Agency to version 61.0.1 or later. Input validation and WAF rules can provide temporary protection.
While no widespread exploitation has been publicly reported, the vulnerability's ease of exploitation means it remains a potential risk.
Refer to the vendor's documentation and security advisories for Agency, and check the VDB entry (VDB-244495) for more details.