CVE-2025-65778
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Wekan up to version 18.15 allows uploaded attachments to be served with an attacker-controlled Content-Type such as text/html. This enables execution of attacker-supplied HTML and JavaScript within the application's origin, leading to stored Cross-Site Scripting (XSS). As a result, attackers can steal user sessions or tokens and perform Cross-Site Request Forgery (CSRF) actions. The issue was fixed in version 18.16 by enforcing strict content validation, blocking inline rendering of dangerous files, forcing downloads with safe headers, and improving file handling to prevent execution of malicious code. [3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to serious security impacts including theft of user sessions or authentication tokens, allowing attackers to impersonate users. It also enables Cross-Site Request Forgery (CSRF) attacks, which can cause unauthorized actions on behalf of users. Essentially, an attacker can execute malicious scripts in the context of the Wekan application, compromising user data and potentially the integrity of the application environment. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your Wekan instance is running a version prior to 18.16, as versions up to 18.15 are affected. Additionally, monitoring attachment uploads for Content-Type headers set to text/html or other dangerous MIME types (e.g., application/javascript, image/svg+xml) can indicate exploitation attempts. Since the vulnerability allows execution of attacker-supplied HTML/JS via attachments, you can inspect HTTP responses for attachments served with unsafe Content-Type headers. Commands to detect such issues could include using curl or wget to fetch attachments and inspecting headers, for example: curl -I https://your-wekan-instance/attachment-url | grep Content-Type. Also, reviewing logs for attachment uploads with suspicious MIME types or scanning uploaded files for embedded scripts can help. However, no specific detection commands are provided in the resources. [4, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Wekan to version 18.16 or later, where this vulnerability is fixed. The fix enforces forced download of attachments with safe HTTP headers (Content-Type: application/octet-stream, Content-Disposition: attachment, X-Content-Type-Options: nosniff) to prevent inline rendering and execution of malicious content. It also blocks SVG uploads, improves file validation to detect dangerous MIME types and embedded scripts, and enhances file handling to serve attachments securely. Until upgrade, you should restrict or disable attachment uploads, especially those with potentially dangerous MIME types, and monitor for suspicious activity related to attachments. [2, 4, 3]