Foxcms
CVE-2025-2653
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was found in FoxCMS 1.25 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
A vulnerability was found in FoxCMS 1.25 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-266. A vulnerability was found in FoxCMS 1.25 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Affected products include: Qianfox Foxcms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
FoxCMS version 1.2.5 contains an unauthenticated remote code execution vulnerability in the case display page of the ind
FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controlle
An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers
foxcms v1.2.5 was discovered to contain an arbitrary file deletion vulnerability via the delRestoreSerie method. Rated c
FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. Rated high severity (CVSS 8.8), this
In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus. Rated high severity (
foxcms v1.2.5 was discovered to contain a SQL injection vulnerability via the executeCommand method in DataBackup.php. R
An arbitrary file upload vulnerability in the component /controller/PicManager.php of FoxCMS v1.2.6 allows attackers to
An issue in the restores method (DataBackup.php) of foxcms v2.0.6 allows attackers to execute a directory traversal. Rat
Foxcms v1.25 contains a SQL time-based injection vulnerability in the installdb.php installation script, specifically in
FoxCMS v1.2.5 and before is vulnerable to SQL Injection via the column_model parameter in the app/admin/controller/Colum
FOXCMS <= V1.25 is vulnerable to SQL Injection via $param['title'] in /admin/util/Field.php. Rated high severity (CVSS 7
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today