CVE-2025-56236
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-09-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| formcms | formcms | From 0.5.5 (inc) to 0.5.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in FormCms version 0.5.5. Authenticated users can upload malicious .html files via the avatar upload feature. These files are stored publicly without access control. When a privileged user accesses the malicious file URL, the embedded JavaScript runs in their browser, allowing the attacker to execute unauthorized actions within the application. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to execute malicious scripts in the context of privileged users, such as Super Admins. This can lead to unauthorized API actions including full Create, Read, Update, and Delete (CRUD) operations on users, roles, and other sensitive data, potentially compromising the entire application and its data integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking for the presence of malicious .html files uploaded via the avatar upload endpoint (/api/profile/avatar). One approach is to monitor HTTP requests to this endpoint for file uploads with .html extensions. Additionally, you can scan the publicly accessible directory /files/avatar/ for unexpected .html files. For example, using curl or wget to list or retrieve files from /files/avatar/ and inspecting them for embedded JavaScript. Commands might include: 1) Monitoring upload requests: curl -X POST -F "[email protected]" https://yourformcmsdomain/api/profile/avatar 2) Listing files: curl https://yourformcmsdomain/files/avatar/ 3) Inspecting suspicious files: curl https://yourformcmsdomain/files/avatar/[random-id].html | grep '<script>' However, since the exact random IDs are needed, monitoring logs for upload activity and reviewing uploaded file types is essential. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict or disable the ability for authenticated users to upload .html files via the avatar upload endpoint. 2) Implement server-side validation to block uploads of files with .html extensions or any files containing executable scripts. 3) Apply access controls to the /files/avatar/ directory to prevent public access to uploaded files. 4) Inform privileged users to avoid visiting suspicious URLs related to avatar files until a patch is applied. 5) Monitor and remove any malicious .html files already uploaded. These steps reduce the risk of stored XSS exploitation until an official patch or update is available. [1]