CVE-2025-52184
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-09-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| helpy.io | helpy | 2.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to create a new topic (ticket) with an attached HTML file containing JavaScript code and then observing if the script executes when a privileged user views the attachment. Specifically, you can visit the new topic creation page (/en/topics/new), capture the CSRF token, and submit a ticket with a malicious HTML attachment. Monitoring HTTP responses for missing security headers like Content-Disposition: attachment and X-Content-Type-Options: nosniff on attachment routes can also help detect vulnerability. Commands to test this might include using curl or wget to upload an HTML file and then accessing the attachment URL to see if scripts execute, for example: 1) Use curl to POST a new ticket with an HTML attachment including JavaScript. 2) Use a browser or curl to fetch the attachment URL and check if the script runs or if the response headers lack protections. However, no specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include rejecting or transforming HTML uploads to prevent active content, serving user-uploaded HTML files with the HTTP headers Content-Disposition: attachment and X-Content-Type-Options: nosniff to prevent inline execution, applying a restrictive Content Security Policy (CSP) on attachment routes to limit script execution, and validating MIME types server-side to strip or block active content. These measures reduce the risk of script execution and privilege escalation until a patch is available. [1]
Can you explain this vulnerability to me?
CVE-2025-52184 is a stored Cross-Site Scripting (XSS) vulnerability in Helpy.io version 2.8.0. It allows a remote attacker to upload a malicious HTML file as an attachment when creating a new topic (ticket). This HTML file is served without proper sanitization or protective headers, enabling the execution of arbitrary JavaScript code in the browser of privileged users (such as staff or admins) who view the attachment. This script execution can lead to privilege escalation, session and CSRF token theft, forced actions within the application, and potential account takeover. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of privileged users, potentially leading to privilege escalation, theft of session and CSRF tokens, forced actions on behalf of the user within the application, and even account takeover. Essentially, attackers can gain unauthorized control or access to sensitive parts of the application by exploiting this flaw. [1]