CVE-2025-52035
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-09-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| exe-system | notescms | From 2024-05-08 (inc) to 2025-05-31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52035 is a Stored Cross-Site Scripting (XSS) vulnerability in the NotesCMS product, specifically in the page /index.php?route=notes. It occurs because the title field of service descriptions does not properly neutralize input, allowing an attacker to inject and store malicious JavaScript code. When users interact with the affected notes feature, the malicious script executes in their browsers, potentially causing harm. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to execution of arbitrary JavaScript code in users' browsers, which may result in theft of sensitive information such as cookies, session tokens, and credentials. Attackers can impersonate users to perform unauthorized actions, inject phishing pages, propagate malware like worms or trojans, and deface or disrupt website functionality, reducing availability and trustworthiness. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /index.php?route=notes page of the NotesCMS application for stored XSS in the note title field. You can attempt to inject a simple script such as <script>alert(123)</script> into the title of a service description or note and then save it. After saving, use the 'PodglΔ d' (Preview) button or reload the page to see if the script executes, indicating the presence of the vulnerability. There are no specific network commands provided, but manual or automated web application security testing tools that test for stored XSS on this endpoint can be used. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the fix introduced in commit 95322c5121dbd7070f3bd54f2848079654a0a8ea dated 2025-03-31, which addresses the improper neutralization of input in the note title field. Until the patch can be applied, restrict access to the /index.php?route=notes page to trusted users only, sanitize or filter input on the note title field to prevent script injection, and monitor for suspicious activity related to note creation or editing. Additionally, consider implementing Content Security Policy (CSP) headers to reduce the impact of any potential XSS exploitation. [1, 2]