EUVD-2025-28466

| CVE-2025-52791 HIGH
2025-06-20 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28466
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

Tags

CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in devfelixmoira Knowledge Base – Knowledge Base Maker allows Stored XSS. This issue affects Knowledge Base – Knowledge Base Maker: from n/a through 1.1.8.

Analysis

CVE-2025-52791 is a CSRF vulnerability in devfelixmoira Knowledge Base Maker (versions up to 1.1.8) that enables Stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts that persist and execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can affect multiple users through stored payloads, with a CVSS score of 7.1 indicating medium-high severity. No KEV listing or confirmed EPSS data is available in public sources, and patch availability status requires verification with the vendor.

Technical Context

This vulnerability combines two distinct attack vectors: CSRF (CWE-352) as the primary classification and Stored XSS as the secondary impact. CSRF exploits the trust between a user's browser and the Knowledge Base Maker application by tricking authenticated users into performing unintended actions without their knowledge. The vulnerability chain likely involves insufficient CSRF token validation or missing anti-CSRF protections on state-changing operations (such as creating, editing, or deleting knowledge base entries). The Stored XSS component indicates that user-supplied input is persisted in the database without proper sanitization or encoding, and later rendered to other users without escaping HTML/JavaScript context. The affected product is devfelixmoira Knowledge Base Maker (CPE pattern: cpe:2.3:a:devfelixmoira:knowledge_base_maker:*:*:*:*:*:*:*:*), specifically versions 1.1.8 and below. The attack vector is Network (AV:N) with Low complexity (AC:L) and no privilege requirements (PR:N), meaning any remote actor can craft a malicious CSRF request.

Affected Products

Knowledge Base Maker (1.1.8 and earlier)

Remediation

Upgrade to Knowledge Base Maker version 1.1.9 or later when available from devfelixmoira.; priority: High Mitigation - Input Validation: Implement strict input validation and sanitization for all user-supplied data before storing in the database. Use a whitelist-based approach to allow only safe HTML tags if rich text is necessary.; priority: High Mitigation - Output Encoding: Apply context-aware output encoding when rendering knowledge base content. Use HTML entity encoding for HTML context and JavaScript encoding for script context.; priority: High Mitigation - CSRF Protection: Implement anti-CSRF tokens (e.g., synchronizer token pattern or double-submit cookies) on all state-changing endpoints. Verify token presence and validity on the server side.; priority: High Mitigation - CSP: Deploy Content Security Policy (CSP) headers to restrict script execution from unauthorized sources, limiting XSS impact even if injection occurs.; priority: Medium Workaround: Restrict write access to knowledge base content to trusted administrators only. Implement role-based access control (RBAC) to minimize exposure surface.; priority: Medium Vendor Advisory: Monitor devfelixmoira security advisories and GitHub repository for patch releases. Contact vendor directly if no patch timeline is provided.; priority: Medium

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

EUVD-2025-28466 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy