westboy CicadasCMS CVE-2025-11289
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. The impacted element is the function Save of the file src/main/java/com/zhiliao/common/template/TemplateFileServiceImpl.java of the component Template Management Page. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
Stored cross-site scripting (XSS) in westboy CicadasCMS Template Management Page allows high-privileged users to inject malicious scripts via the Save function in TemplateFileServiceImpl.java, affecting downstream users who interact with stored templates. The vulnerability requires high privileges and user interaction but carries CVSS 1.9 due to minimal integrity impact; however, publicly available exploit code exists, indicating real disclosure despite extremely low exploitation probability (EPSS 0.03%).
Technical ContextAI
The vulnerability exists in the Template Management component of CicadasCMS, specifically in the Save function of src/main/java/com/zhiliao/common/template/TemplateFileServiceImpl.java. This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue where user-supplied input in template files is not properly sanitized or encoded before being stored and rendered. Java-based web applications handling template content are susceptible to stored XSS when input validation and output encoding are insufficient. The affected CPE indicates CicadasCMS version 1.0 and potentially other versions up to commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab.
RemediationAI
No vendor-released patch is identified at time of analysis. Primary mitigation requires upgrading CicadasCMS to a patched version beyond commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab, with version details available from https://github.com/westboy/CicadasCMS or via the vendor. Immediate compensating controls include: (1) restrict Template Management Page access to strictly necessary high-privilege users via role-based access control, reducing the attack surface; (2) implement Content Security Policy (CSP) headers with strict-dynamic and script-src restrictions to mitigate stored XSS payload execution in browsers; (3) enable HTML/JavaScript input validation and output encoding in template file processing, ensuring all user input is escaped before storage; (4) audit all existing templates for suspicious content and monitor template modification logs for unauthorized changes. Each mitigation has trade-offs: restricting access may reduce functionality, CSP may break legitimate dynamic content, and template scanning requires manual effort.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today