CVE-2025-54175

EPSS 0.03%
Veröffentlicht 20.08.2025 12:53:23
Zuletzt bearbeitet 08.09.2025 17:08:03
Quelle cvd@cert.pl
CVE-Watchlists
Login
Unerledigt
Login

QuickCMS.EXT is vulnerable to Reflected XSS in sFileName parameter in thumbnail viewer functionality.  An attacker can craft a malicious URL that results in arbitrary JavaScript execution in the victim's browser when opened.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opensolution ≫ Quick.Cms.Ext Version6.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.071

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvd@cert.pl	4.6	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://cert.pl/posts/2025/08/CVE-2025-54172

Third Party Advisory

https://opensolution.org/professional-cms-system-quick-cms-ext.html

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-54175

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54175

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54175

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-54175