CVE-2025-50754
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-08-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unisite | cms | 5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50754 is a stored Cross-Site Scripting (XSS) vulnerability in Unisite CMS version 5.0's "Report" functionality. An attacker submits a malicious JavaScript payload via the public report form. When an administrator views this report in the admin panel, the script executes in the admin's browser, stealing the admin session cookie. Using the hijacked session, the attacker accesses the admin interface, specifically the template editor, where they inject PHP code into a template file. This results in a persistent web shell on the server, allowing full remote code execution. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a full administrative takeover of the CMS. An attacker can hijack the admin session, gain access to sensitive administrative features, upload a PHP web shell, and execute arbitrary commands on the server. This results in remote code execution, potential data leakage or modification, and persistence through backdoors, severely compromising the security and integrity of the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for suspicious admin panel activity, especially viewing reports containing malicious scripts. Since the exploit involves stored XSS in the 'Report' feature and subsequent web shell upload, you can check for unusual .tpl template files or web shells like 's.php' on the server. Commands to detect the presence of the web shell include: `find /path/to/cms -name 's.php'` to locate the uploaded shell, and `grep -r '<?php' /path/to/cms/templates/` to find injected PHP code in template files. Additionally, monitoring web server logs for unusual admin panel access or commands executed via the web shell (e.g., `id`, `ls -la`) can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and escaping all user inputs in the 'Report' feature to prevent malicious scripts from being stored and executed. Avoid rendering untrusted HTML or JavaScript in the admin panel. Enforce a strict Content Security Policy (CSP) to limit script execution. Restrict access to sensitive features such as the template editor to trusted administrators only. Additionally, monitor for and remove any unauthorized web shells or injected PHP code. Since no official patch is available, these mitigations help reduce the risk of exploitation. [1]