CVE-2025-45388

EPSS 0.03%
Veröffentlicht 07.05.2025 00:00:00
Zuletzt bearbeitet 09.05.2025 14:15:37
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Wagtail CMS 6.4.1 is vulnerable to a Stored Cross-Site Scripting (XSS) in the document upload functionality. Attackers can inject malicious code inside a PDF file. When a user clicks the document in the CMS interface, the payload executes. NOTE: this is disputed by the Supplier because "It has been well documented that when serving uploaded files using a method outside of Wagtail (which admittedly is the default), it requires additional configuration from the developer, because Wagtail cannot control how these are served. ... For example, if a Wagtail instance is configured to upload files into AWS S3, Wagtail cannot control the permissions on how they're served, nor any headers used when serving them (a limitation of S3)."

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.077

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/echoBRT/Wagtail-CMS-XSS/

https://docs.wagtail.org/en/stable/deployment/under_the_hood.html#documents

https://github.com/wagtail/wagtail/discussions/12617

https://github.com/wagtail/wagtail/pull/12672

https://github.com/wagtail/wagtail/wiki/Security-team

https://nvd.nist.gov/vuln/detail/CVE-2025-45388

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-45388

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-45388

EUVD