CVE-2025-11435 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-11435?

CVE-2025-11435 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to inject malicious scripts into the /show/submissions endpoint of JhumanJ OpnForm, leading to cross-site scripting (XSS) attacks. It affects OpnForm versions up to 1.9.3, potentially compromising user sessions and data. The vulnerability can be exploited remotely without authentication.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the /show/submissions endpoint of JhumanJ OpnForm, leading to cross-site scripting (XSS) attacks. It affects OpnForm versions up to 1.9.3, potentially compromising user sessions and data. The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:

JhumanJ OpnForm

Versions: Up to and including 1.9.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /show/submissions functionality specifically; all deployments using vulnerable versions are affected.

📦 What is this software?

Opnform by Jhumanj

View all CVEs affecting Opnform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user session cookies, perform actions as authenticated users, redirect to malicious sites, or deface the application.

🟠

Likely Case

Session hijacking, credential theft, or injection of malicious content viewed by other users.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though XSS could still affect users with active sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed in the provided Google Docs reference; remote exploitation is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after commit a2af1184e53953afa8cb052f4055f288adcaa608

Vendor Advisory: https://github.com/JhumanJ/OpnForm/pull/900/commits/a2af1184e53953afa8cb052f4055f288adcaa608

Restart Required: No

Instructions:

1. Update OpnForm to a version that includes commit a2af1184e53953afa8cb052f4055f288adcaa608 or later. 2. Apply the patch from the GitHub pull request #900. 3. Verify the fix by testing the /show/submissions endpoint.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side input validation and output encoding for the /show/submissions endpoint to block malicious scripts.

Content Security Policy (CSP)

all

Deploy a strict CSP header to mitigate XSS impact by restricting script execution sources.

Add HTTP header: Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules to block malicious requests.
Disable or restrict access to the /show/submissions endpoint if not essential for operations.

🔍 How to Verify

Check if Vulnerable:

Test the /show/submissions endpoint by attempting to inject a script payload (e.g., <script>alert('XSS')</script>) and check if it executes in a browser.

Check Version:

Check the OpnForm version in the application settings or via the command line if installed locally.

Verify Fix Applied:

After patching, retest the /show/submissions endpoint with the same XSS payload; it should be sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to /show/submissions with script tags or encoded payloads.
Increased error logs related to input validation failures.

Network Indicators:

HTTP requests containing malicious script patterns (e.g., <script>, javascript:) targeting the vulnerable endpoint.

SIEM Query:

source="web_logs" AND (url="/show/submissions" AND (content CONTAINS "<script>" OR content CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-11435

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (24.4th percentile)

Published: October 8, 2025

Last Updated: October 9, 2025

🔗 References

https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?usp=sharing Exploit,Third Party Advisory
https://github.com/JhumanJ/OpnForm/pull/900/commits/a2af1184e53953afa8cb052f4055f288adcaa608 Patch
https://vuldb.com/?ctiid.327372 Permissions Required,VDB Entry
https://vuldb.com/?id.327372 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.666876 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11435, you might also want to check these: