CVE-2025-8521
BaseFortify
Publication date: 2025-08-04
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vvveb | vvveb | to 1.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8521 is a stored Cross-Site Scripting (XSS) vulnerability in Vvveb version 1.0.5, specifically in the admin panel endpoint `/vadmin123/index.php?module=settings/post-types`. An attacker with administrative privileges can inject malicious JavaScript code into the `post_type[type]` input field when adding a new post type. This injected script executes whenever any user with access logs into the admin panel, potentially stealing cookies and compromising the security of multiple users with administrative roles. The vulnerability arises from improper sanitization of user input, allowing persistent XSS attacks. [1, 4]
How can this vulnerability impact me? :
This vulnerability can lead to the theft of cookies and session tokens from users with administrative privileges, such as site administrators, editors, and vendors. By exploiting the XSS flaw, an attacker can execute arbitrary JavaScript in the context of the admin panel, potentially gaining unauthorized access, hijacking sessions, or performing other malicious actions within the admin interface. This compromises the confidentiality and integrity of the affected system and its users. [1, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `/vadmin123/index.php?module=settings/post-types` endpoint for persistent Cross-Site Scripting (XSS) by injecting payloads into the `post_type[type]` input field via the "Add type" button in the admin panel. Example payloads include `"><img src='http://x.x.x.x:1718/capture.php'>` or `<img/src=x onerror=alert(2025)>`. To detect exploitation attempts, you can monitor HTTP requests to your admin panel for suspicious input in this field or unexpected JavaScript execution. Additionally, you can run a PHP server to capture stolen cookies if testing the exploit, e.g., `$ php -S x.x.x.x:1718`. Network monitoring for outgoing requests to unknown external servers (like the attacker's capture.php) can also help detect exploitation. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vvveb to version 1.0.6, which includes a patch that properly escapes user input in the admin panel menu rendering to prevent XSS attacks. The patch applies escaping functions such as `htmlspecialchars()` to dynamic attributes in the menu template to neutralize malicious scripts. Until upgrading, restrict administrative access to trusted users only and monitor for suspicious activity. Applying the patch from commit b53c7161da606f512b7efcb392d6ffc708688d49 is recommended. [2, 3]