CVE-2025-10330 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-10330?

CVE-2025-10330 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to inject malicious scripts via the search parameter (q) in cdevroe unmark's search form, leading to cross-site scripting (XSS). It affects all users of unmark up to version 1.9.3 who have the vulnerable file accessible. Remote exploitation is possible without authentication.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts via the search parameter (q) in cdevroe unmark's search form, leading to cross-site scripting (XSS). It affects all users of unmark up to version 1.9.3 who have the vulnerable file accessible. Remote exploitation is possible without authentication.

💻 Affected Systems

Products:

cdevroe unmark

Versions: up to 1.9.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in application/views/layouts/topbar/searchform.php file. Any installation with this file accessible is vulnerable.

📦 What is this software?

Unmark by Unmark

View all CVEs affecting Unmark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users if the XSS payload is executed in an authenticated context.

🟠

Likely Case

Attackers inject malicious JavaScript that runs in victims' browsers, potentially stealing session tokens or displaying phishing content.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payload would be neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept is publicly available. Remote exploitation is possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider applying manual fixes or workarounds.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Manually sanitize the 'q' parameter in searchform.php to prevent XSS payloads from executing.

Edit application/views/layouts/topbar/searchform.php and apply proper HTML encoding to the q parameter output

WAF Rule Implementation

all

Deploy web application firewall rules to block XSS patterns in search parameters.

Configure WAF to filter malicious scripts in query parameters

🧯 If You Can't Patch

Restrict access to the vulnerable search form to trusted users only
Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check if your unmark version is 1.9.3 or earlier and if the searchform.php file exists without proper input sanitization.

Check Version:

Check the unmark version in your installation directory or configuration files

Verify Fix Applied:

Test the search functionality with XSS payloads (e.g., <script>alert('test')</script>) to ensure they are properly encoded or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual search queries containing script tags or JavaScript code
Multiple failed search attempts with malicious patterns

Network Indicators:

HTTP requests with suspicious parameters in search queries
Unexpected JavaScript execution from search results

SIEM Query:

search query="*<script>*" OR query="*javascript:*" AND uri="*search*"

📊 Metadata

CVE ID: CVE-2025-10330

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.8th percentile)

Published: September 12, 2025

Last Updated: September 16, 2025

🔗 References

https://github.com/YZS17/CVE/blob/main/unmark/xss1.md Exploit
https://github.com/YZS17/CVE/blob/main/unmark/xss1.md#poc Exploit
https://vuldb.com/?ctiid.323756 Permissions Required,VDB Entry
https://vuldb.com/?id.323756 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.643532 Third Party Advisory,VDB Entry
https://github.com/YZS17/CVE/blob/main/unmark/xss1.md Exploit
https://github.com/YZS17/CVE/blob/main/unmark/xss1.md#poc Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10330, you might also want to check these: