How to fix CVE-2025-54175?

During next maintenance window: Identify affected systems and apply vendor patches when convenient. Verify Content-Security-Policy and output encoding.

Is Quick Cms Ext affected by CVE-2025-54175?

Organizations using QuickCMS.EXT should be aware of moderate risk from CVE-2025-54175, a cross-site scripting vulnerability rated CVSS 4.6. Attackers could inject scripts to steal sessions or perform actions as authenticated users.

Quick Cms Ext CVE-2025-54175

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2025-08-20 [email protected]

XSS Quick Cms Ext

4.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:07 vuln.today

CVE Published

Aug 20, 2025 - 13:15 nvd

MEDIUM 4.6

DescriptionNVD

QuickCMS.EXT is vulnerable to Reflected XSS in sFileName parameter in thumbnail viewer functionality. An attacker can craft a malicious URL that results in arbitrary JavaScript execution in the victim's browser when opened.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

QuickCMS.EXT is vulnerable to Reflected XSS in sFileName parameter in thumbnail viewer functionality. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. QuickCMS.EXT is vulnerable to Reflected XSS in sFileName parameter in thumbnail viewer functionality. An attacker can craft a malicious URL that results in arbitrary JavaScript execution in the victim's browser when opened. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. Affected products include: Opensolution Quick.Cms.Ext. Version information: version 6.8.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2025-54175 vulnerability details – vuln.today

Back

Quick Cms Ext CVE-2025-54175

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

Quick Cms Ext CVE-2025-54175

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code