CVE-2025-25988 – A Cross-Site Scripting (XSS) vulnerability in H... (How to Fix)

Q: What is the severity of CVE-2025-25988?

CVE-2025-25988 has a CVSS score of 4.8 (MEDIUM). A Cross-Site Scripting (XSS) vulnerability in HooskCMS v1.8 allows remote attackers to inject malicious scripts via the custom Link title and Title parameters. This could lead to session hijacking, defacement, or denial of service. All users running HooskCMS v1.8 are affected.

📋 TL;DR

A Cross-Site Scripting (XSS) vulnerability in HooskCMS v1.8 allows remote attackers to inject malicious scripts via the custom Link title and Title parameters. This could lead to session hijacking, defacement, or denial of service. All users running HooskCMS v1.8 are affected.

💻 Affected Systems

Products:

HooskCMS

Versions: v1.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the vulnerable custom Link title and Title parameters enabled.

📦 What is this software?

Hoosk by Hoosk

View all CVEs affecting Hoosk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals admin session cookies, takes full control of CMS, defaces website, and installs backdoors.

🟠

Likely Case

Attacker injects malicious scripts that steal user sessions or redirect visitors to phishing sites.

🟢

If Mitigated

Scripts execute but are blocked by CSP or sanitized by browser protections, causing minimal impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are typically easy to exploit with basic web knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/havok89/Hoosk/issues/67

Restart Required: No

Instructions:

No official patch exists. Apply workarounds or upgrade if a fixed version becomes available.

🔧 Temporary Workarounds

Input Sanitization

all

Implement server-side input validation and output encoding for the Link title and Title parameters.

Edit relevant PHP files to apply htmlspecialchars() or filter_var() functions.

Content Security Policy (CSP)

all

Deploy a strict CSP header to block inline script execution and restrict script sources.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server config.

🧯 If You Can't Patch

Disable or restrict access to the vulnerable custom Link title and Title parameters.
Implement a Web Application Firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Test by injecting a simple script like <script>alert('XSS')</script> into the Link title or Title fields.

Check Version:

Check HooskCMS version in admin panel or via 'cat VERSION' file if available.

Verify Fix Applied:

Re-test XSS payloads after applying workarounds; scripts should not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests with script tags in Link title or Title parameters.

Network Indicators:

HTTP requests containing malicious script payloads in form fields.

SIEM Query:

source="web_logs" AND ("<script" OR "javascript:") AND ("Link title" OR "Title")

📊 Metadata

CVE ID: CVE-2025-25988

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (20.5th percentile)

Published: February 14, 2025

Last Updated: April 18, 2025

🔗 References

https://github.com/havok89/Hoosk/issues/67 Exploit,Issue Tracking,Third Party Advisory
https://github.com/havok89/Hoosk/issues/67 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25988, you might also want to check these: