CVE-2025-8551
BaseFortify
Publication date: 2025-08-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pybbs_project | pybbs | to 6.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8551 is a reflected Cross-Site Scripting (XSS) vulnerability in the atjiu pybbs application up to version 6.0.0, specifically in the /admin/comment/list endpoint. The vulnerability occurs because the application does not properly encode user-controllable parameters like 'username' before displaying them on the page. This allows an attacker to inject malicious scripts that are reflected back to administrator users, enabling execution of arbitrary JavaScript in their browsers. Exploiting this vulnerability requires the victim to interact with a crafted URL, and a public proof-of-concept exploit exists. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the context of administrator users' browsers. This can lead to compromise of administrative functions, theft of sensitive data, session hijacking, or other malicious actions performed with administrator privileges. Since the attack targets administrators, it can severely affect the security and integrity of the application and its data. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /admin/comment/list endpoint with crafted input in the username parameter to check for reflected cross-site scripting (XSS). For example, sending a request with a payload such as: http://yourserver/admin/comment/list?startDate=&endDate=&username=1"><img src=1 onerror=alert(9)> and observing if the script is executed in the administrator's browser. You can use curl or similar tools to send this request: curl -v "http://yourserver/admin/comment/list?startDate=&endDate=&username=1\"><img src=1 onerror=alert(9)>" and then check the response for unencoded script injection. Additionally, web vulnerability scanners that detect reflected XSS can be used to automate detection. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the available patch identified by commit 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22, which fixes the improper encoding of user-controllable parameters in the /admin/comment/list endpoint. Until the patch is applied, restrict access to the affected endpoint to trusted administrators only and consider implementing web application firewall (WAF) rules to block suspicious input patterns targeting the username parameter to reduce risk. [3]