CVE-2025-7569
BaseFortify
Publication date: 2025-07-14
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bigotry | onebase | 1.3.6 |
| thinkphp | thinkphp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7569 is a reflected Cross-Site Scripting (XSS) vulnerability in Bigotry OneBase up to version 1.3.6. It occurs in the parse_args function of the file /tpl/think_exception.tpl, where user input is not properly sanitized before being displayed in the Call Stack debug output on exception pages. This allows attackers to inject malicious JavaScript code that executes in the context of the admin panel when an exception is triggered, such as by submitting crafted input in certain URLs. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to several serious impacts including admin session hijacking by stealing cookies or tokens via injected scripts, privilege escalation by executing malicious scripts that can modify admin settings or create backdoor accounts, and phishing attacks by injecting fake login forms to capture credentials. These impacts can compromise the security and integrity of the affected system. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to trigger the reflected XSS via specially crafted URLs that inject JavaScript code into the exception handling output. For example, you can test URLs such as: - http://target-ip/admin.php/config/configlist/order_field/?1<script>alert(123)</script> - http://target-ip/admin.php/menu/setstatus/ids/210/?1<script>alert(1)</script> If the JavaScript alert pop-ups appear, the system is vulnerable. You can use tools like curl or wget to send these requests and observe the response for injected script tags. Example command: curl -i "http://target-ip/admin.php/config/configlist/order_field/?1<script>alert(123)</script>" Look for the injected script in the response body. Additionally, monitoring web server logs for suspicious requests containing script tags or unusual parameters can help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: - Avoid using the affected versions of Bigotry OneBase (up to 1.3.6) if possible, as no official patches or vendor responses are available. - Restrict access to the admin panel and exception debug pages to trusted IPs or networks to reduce exposure. - Implement web application firewall (WAF) rules to detect and block requests containing suspicious script tags or attempts to inject JavaScript. - Disable detailed exception debug output in production environments to prevent exposure of unsanitized call stack information. - Consider replacing the affected product with an alternative that is not vulnerable. These steps help reduce the risk of exploitation until a proper fix or patch is available. [2]