CVE-2025-29094
BaseFortify
Publication date: 2025-06-04
Last updated on: 2025-06-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| motivian | content_management_system | 41.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-29094 is a Multiple Stored Cross-Site Scripting (XSS) vulnerability in Motivian Content Management System version 41.0.0. It affects the Marketing/Forms, Marketing/Offers, and Content/Pages components, allowing a remote attacker to inject and execute arbitrary JavaScript code in users' browsers by submitting malicious scripts into input fields like form titles or header script fields. This means an attacker can run harmful scripts when a victim views the affected content. [1]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary JavaScript execution in the victim's browser, which may result in session hijacking, website defacement, or other malicious actions performed within the context of the victim's browser. Because the attack is remote and requires only low privileges and some user interaction, it poses a high risk to confidentiality and user security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a test script into the input fields of the affected components (Marketing/Forms, Marketing/Offers, Content/Pages) and observing if the script executes when the data is rendered. For example, injecting a payload like `<script>alert(document.domain)</script>` into the Name field of a new form in Marketing/Forms and then checking if the alert executes confirms the presence of the stored XSS. Detection involves manual testing or automated scanning targeting these input fields for script injection and execution. Specific commands are not provided, but using tools like curl or Burp Suite to submit crafted HTTP requests with script payloads to these components can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing all user inputs and escaping outputs before rendering them to prevent script injection. Additionally, implementing a Content Security Policy (CSP) header is recommended to restrict the execution of unauthorized scripts and reduce the risk of XSS exploitation. These measures help prevent malicious scripts from being injected and executed in the affected components. [1]