CVE-2025-8812
BaseFortify
Publication date: 2025-08-10
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pybbs_project | pybbs | to 6.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8812 is a stored Cross-Site Scripting (XSS) vulnerability in the atjiu pyBBS application up to version 6.0.0. It occurs in the profile modification functionality via the API endpoint /api/settings, where a normal user can inject malicious JavaScript code into fields like telegramName, website, and bio. This malicious code is stored in the database and later rendered without proper encoding or sanitization on various frontend and admin panel pages, such as user profile pages and admin user edit pages. Because cookies are set without the HttpOnly flag, the injected scripts can steal cookies from users and administrators, potentially leading to account hijacking. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in the context of your browser, leading to theft of cookies and session tokens. Since cookies lack the HttpOnly flag, attackers can steal these cookies from both normal users and administrators, enabling account takeover attacks. This can result in unauthorized access to user accounts, including administrative accounts, potentially compromising the entire system's security. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject malicious JavaScript payloads into the /api/settings endpoint via HTTP PUT requests with crafted JSON data containing XSS vectors in fields such as telegramName, website, and bio. For example, using curl commands to send payloads like: curl -X PUT -H "Content-Type: application/json" -d '{"telegramName":"XSS1\"><img src=1 onerror=alert(1)>"}' https://your-pybbs-domain/api/settings and then checking if the injected scripts execute on user profile pages (/user/{username}) or admin pages (/admin/user/edit?id={uid}). Monitoring HTTP traffic for suspicious payloads or unexpected script tags in responses can also help detect exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the available patch identified by commit hash 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. Additionally, ensure proper input validation and output encoding/sanitization on the /api/settings endpoint to prevent injection of malicious scripts. Setting the HttpOnly flag on cookies to true will help prevent cookie theft via XSS. Until the patch is applied, restrict access to the vulnerable API endpoint and monitor for suspicious activity. [2]