CVE-2025-7748
BaseFortify
Publication date: 2025-07-17
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| εδΊ¬ζ³½ε θΏ ιΏθ½―δ»Άζιε ¬εΈ | zcms | 3.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7748 is a stored cross-site scripting (XSS) vulnerability in ZCMS version 3.6.0, specifically in the 'Create Article Page' component. It occurs because the 'Title' argument is not properly sanitized, allowing attackers to inject malicious scripts that get stored and later executed in the browsers of users who view the affected pages. Exploitation requires the attacker to be authenticated and involves user interaction. This vulnerability corresponds to CWE-79 and is classified as problematic. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to inject malicious scripts into the web pages of the affected CMS, potentially compromising data integrity and user security. Since the malicious scripts are stored and executed in the browsers of other users, it can lead to session hijacking, defacement, or other malicious actions performed on behalf of legitimate users. Exploitation requires authentication and user interaction, but a proof-of-concept exploit is publicly available, making it easier for attackers to exploit. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying attempts to inject malicious scripts into the 'Title' field of the 'Create Article Page' in ZCMS 3.6.0. Network or system monitoring can focus on HTTP requests containing suspicious script tags or payloads in the Title parameter. Since a proof-of-concept exploit is publicly available, you can use web application security scanners or custom scripts to test the input sanitization of the Title field. Specific commands are not provided in the resources, but monitoring web server logs for unusual POST requests to the article creation endpoint with script payloads is recommended. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the 'Create Article' function to trusted users only, as exploitation requires authentication. Since no known countermeasures or mitigations are documented, consider disabling or restricting the vulnerable functionality temporarily. Additionally, consider replacing ZCMS 3.6.0 with an alternative CMS or applying input validation and output encoding to neutralize malicious scripts in the Title field. Monitoring and educating users about the risk of interacting with untrusted content can also help reduce impact. [1, 2]