修复版本
1.0.1
CVE-2025-13182 describes a cross-site scripting (XSS) vulnerability affecting pojoin h3blog version 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the Title argument of the /admin/cms/category/addtitle file. A public proof-of-concept is available, indicating a heightened risk of exploitation.
Successful exploitation of CVE-2025-13182 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including stealing session cookies, redirecting users to phishing sites, or modifying the content displayed on the h3blog platform. Given the administrative nature of the affected file (/admin/cms/category/addtitle), an attacker who gains access could potentially compromise the entire h3blog instance and its associated data. The availability of a public proof-of-concept significantly lowers the barrier to entry for attackers.
CVE-2025-13182 has been publicly disclosed and a proof-of-concept is available, indicating a moderate risk of exploitation. The vulnerability was published on 2025-11-14. The LOW CVSS score reflects the relatively simple exploitation path and potential impact, but the public PoC elevates the risk. No KEV listing or confirmed exploitation campaigns are currently known.
Administrators and users of pojoin h3blog version 1.0 are at risk. Shared hosting environments that utilize this software are particularly vulnerable, as attackers may be able to exploit the vulnerability through other tenants on the same server. Users who haven't implemented robust input validation practices are also at increased risk.
• php / server:
grep -r "/admin/cms/category/addtitle" /var/www/html/*• generic web:
curl -I http://your-h3blog-site.com/admin/cms/category/addtitle | grep -i "x-xss-protection"disclosure
漏洞利用状态
EPSS
0.06% (20% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-13182 is to upgrade to a patched version of pojoin h3blog. Since no fixed version is specified, it's crucial to consult the vendor's official advisory for the latest release. As a temporary workaround, implement strict input validation and output encoding on the Title field within /admin/cms/category/addtitle. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update WAF rules to ensure they are effective against emerging XSS techniques.
Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la inyección de código XSS en el campo Title al agregar una categoría.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13182 is a cross-site scripting (XSS) vulnerability in pojoin h3blog version 1.0, allowing attackers to inject malicious scripts via the Title argument in /admin/cms/category/addtitle.
If you are using pojoin h3blog version 1.0, you are potentially affected by this vulnerability. Upgrade to the latest version as soon as possible.
Upgrade to a patched version of pojoin h3blog. Consult the vendor's official advisory for the latest release. Implement input validation and output encoding as a temporary workaround.
A public proof-of-concept exists, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Consult the pojoin website or security mailing lists for the official advisory regarding CVE-2025-13182.