CVE-2025-12920
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in FoxCMS up to version 1.2.16 that allows attackers to inject malicious scripts via the Title parameter in product add/edit functions. The vulnerability can be exploited remotely without authentication, potentially affecting any FoxCMS installation with the vulnerable code. Attackers could steal session cookies, redirect users, or perform actions on behalf of authenticated users.
💻 Affected Systems
- qianfox FoxCMS
📦 What is this software?
Foxcms by Foxcms
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the CMS, deface websites, or install backdoors for persistent access.
Likely Case
Attackers steal user session cookies, perform unauthorized actions on behalf of users, or redirect users to malicious sites.
If Mitigated
Proper input validation and output encoding prevent script execution, limiting impact to benign data display issues.
🎯 Exploit Status
Public exploit details available in GitHub repositories. Attack requires user interaction (viewing malicious content).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider upgrading if vendor releases fix, or implement workarounds.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation to sanitize Title parameter input, removing or encoding HTML/JavaScript tags.
Content Security Policy (CSP)
allImplement CSP headers to restrict script execution sources and prevent inline script execution.
Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in Title parameter
- Disable or restrict access to product add/edit functionality if not essential
🔍 How to Verify
Check if Vulnerable:
Check if FoxCMS version is ≤1.2.16 and review app/admin/controller/Product.php for lack of Title parameter sanitization.Check Version:
Check FoxCMS version in configuration files or admin panel.Verify Fix Applied:
Test Title parameter with XSS payloads like <script>alert('test')</script> and verify scripts don't execute.📡 Detection & Monitoring
Log Indicators:
- Unusual Title parameter values containing script tags or JavaScript in product add/edit requests
Network Indicators:
- HTTP requests with script tags in Title parameter to admin/product endpoints
SIEM Query:
source="web_logs" AND (uri_path="/admin/product" OR uri_path="/admin/product/add" OR uri_path="/admin/product/edit") AND (param="Title" AND value MATCHES "<script.*>.*</script>" OR "javascript:")🔗 References
- https://github.com/21151213732/CVE/blob/main/FoxCMS-XSS2.md
- https://github.com/21151213732/CVE/blob/main/FoxCMS-XSS3.md
- https://vuldb.com/?ctiid.331640
- https://vuldb.com/?id.331640
- https://vuldb.com/?submit.680851
- https://vuldb.com/?submit.680852
- https://vuldb.com/?submit.680853
- https://github.com/21151213732/CVE/blob/main/FoxCMS-XSS2.md
- https://github.com/21151213732/CVE/blob/main/FoxCMS-XSS3.md
